can anybody give the list of xml vulnerabilities and threats that are possible in Internet?
A:
There are no such thing as XML threat and it has no vulnerabilities because it's just a data format language.
All depends of how do you use it and specific implementation.
Elalfer
2009-11-20 18:04:27
Sorry, Elalfer; I strongly disagree. Please see my own answer.
CesarGon
2009-11-20 18:11:11
np. We just have different points of view on security and building safe applications. It is always good to see other views on the same question. ;)
Elalfer
2009-11-20 18:19:38
A:
I disagree with the view that XML has no vulnerabilities because it is "just a data format language". Any language, regardless of what it describes (data, instructions, whatever), can be engineered to be more or less usable and error-prone. A language that has been carefully crafted to be highly usable (and hence not error-prone) is inherently less vulnerable than another language that, by its own design (lexicon, syntax, overall grammar) appears as more confusing to the user. Think of C, C# and Ada, for example.
The people who created XML took specific design decisions, and vulnerabilities can be determined from the inherent characteristics of XML itself.
This does not mean, however, that tools used to manipulate XML could not have their own vulnerabilities. It is the same case with any other tool that manipulates data expressed in any other language (a compiler processing C++ code, for instance).
CesarGon
2009-11-20 18:09:31
So, you didn't show any vulnerabilities in XML, and I said that it depends of your implementation and usage of this language.`confusing` doesn't mean `vulnerable`, it just a bad design. But even with a bad desing and `confusing` languages you can create a very secure applications.
Elalfer
2009-11-20 18:16:33
@Elalfer: Well, there is a whole special working group within JTC1/SC22 in ISO, called OWGV, devoted to language vulnerabilities, and of which I used to be a liaison. I don't think that a sweeping statement such as "There are no such thing as XML threat and it has no vulnerabilities because it's just a data format language", with no backing whatsoever, is stronger than an international group of experts that have been working on this matter for a long time. Languages *do* have vulnerabilities of their own. I am aware I didn´t point any out; I was just expressing my disagreement with your view.
CesarGon
2009-11-20 18:29:34
So, why the downvote? You may disagree with my point of view, but I argumented it. You didn't argument yours; you just made a bold statement with no backing. Can you provide any evidence or expert judgment that backs your view that a language cannot have vulnerabilities because it's just a language?
CesarGon
2009-11-20 18:31:23
Hi again. I see you are a researcher and I'm a Software Engineer, this is why we have different points. So, any language (programming or verbal) could be discussed from 2 sides: `scientific` (entropy, field and compiler theories) and `technical` (compilers, tools, web servers, ...), like electromagnetic field - as particles or waves.So, we are discussing about different stuff and the main problem is the question, it's not very specific.I do agree that XML as a `language` could have vulnerabilities, but not as a text format itself from technical point of view.
Elalfer
2009-11-20 21:07:39
So, I'll take back my (-1), because this dispute is because of poor question. ;)By the way, I've been in Spain (1.5 months for this year). Nice place
Elalfer
2009-11-20 21:09:39
It's okay, don't worry. :-) I am a researcher *now*, but I have started three companies and been a developer for 10+ years too. I am also involved in standardisation projects with industry. I can perfectly share your business-oriented perspective. :-)
CesarGon
2009-11-20 21:24:17