XML Intrusion Prevention

Agenda

XIP – XML Intrusion Prevention

The Threats: Lingo

XML Web Services Architecture

XML Threat Model

XIP Device Requirements

XIP Device

XML Threat Model

XML Threat Details

Structural Threats

Structural Threat: Huge Document

Structural Threat: Weird Structure

Structural Threat: Huge Binary Blobs

Structural Threats: Why?

Parsing: SOAP Document Example

DOM Example

DOM Parsing Memory Requirements

SAX Specific Exploits

Context-Free Filtering

Overlapped Parsing and Consumption

Stream Replay and Storage

XML Parsing Conclusions

Typical Countermeasures

Schema Validation Problems

Parsing Precondition

XML Schema Extensibility

OASIS WS-Security Schema Example

Schema Validation: Inadequate

Structural Threat Prevention: Requirements

Semantic Threats

SQL Injection Example

SQL Injection

SOAP: SQL Injection Example

SOAP Array Attack

Typical Countermeasures

Schema Validation Problems

<Pattern> Facet Example

Semantic Threat Prevention: Requirements

XML & Web Services:  The Universal Tunnel

De-Perimiterization

Network Targets

Universal Tunnel Problems

Security Cycle

Summary