Hunting Security Bugs
Use the following tips when you are testing products that use XML:
-
When you test an application that consumes XML input, do not limit testing to XML-specific cases. Most non-XML-specific attacks (HTML scripting attacks, spoofing, buffer overflows, information disclosure, etc.) can occur through XML.
-
Use CDATA and character references to include arbitrary characters as part of the XML, while still creating well- formed and valid XML.
-
When creating XML input, it is important to use an editor that allows complete control of all aspects of the data. For example, an XML-specific editor might not allow you to create certain fields or might automatically change data when saving it. A basic text or binary editor is ideal for XML files and a Web proxy for SOAP messages.
-
Dont forget the XML- and SOAP-specific tests, including infinite entity reference loops , XML bombs , complex XML, external entities, XML injection, large file references, and SOAP array DoS.