Whitepaper – XML Schema, DTD, and Entity Attacks: A Compendium of Known Techniques

by Timothy D. Morgan and Omar Al Ibrahim

The eXtensible Markup Language (XML) is an extremely pervasive technology used in countless software projects. A core feature of XML is the ability to define and validate document structure using schemas and document type definitions (DTDs). When used incorrectly, certain aspects of these document definition and validation features can lead to security vulnerabilities in applications that use XML. This document attempts to provide an up to date reference on these attacks, enumerating all publicly known techniques applicable to the most popular XML parsers in use while exploring a few novel attacks as well.

This paper can be downloaded below.

Editor’s note: This work was originally published by VSR on May 19 2014 at https://www.vsecurity.com/download/publications/XMLDTDEntityAttacks.pdf. VSR is now a part of NCC Group, so we have migrated this content to research.nccgroup.com.