Unfortunately, these products will only slow down a dedicated
reverser and are not a totally effective mitigation.
XML Attacks
The .Net Framework class libraries have extensive, native support for XML. This support
is provided through the System.Xml namespace. Using the .Net Framework, application
developers can easily write applications that consume or produce XML, perform Extensible
Stylesheet Language Transformations (XSLT) transformations, apply XML Schema
Definition (XSD) schema validation, or use XML-based web services. Unfortunately,
Chapter 5: .Net Security 117
many of the original XML classes were vulnerable to common XML attacks such as external
entity (XXE, as discussed in Chapter 1) references and the billion laughs attack. While
many of the defaults have been changed in the new 2.0 .Net classes, the core XML classes
were not changed, as this would have an impact on backward compatibility. Microsoft??™s
deference to backward compatibility means that developers can easily make mistakes
when handling XML from untrusted sources. A skilled attacker can make use of such issues
whenever XML and .Net are being used together.
One of the more common methods of manipulating XML in .
Pages:
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231