By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
434,905 Members | 2,083 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 434,905 IT Pros & Developers. It's quick & easy.

Upload XML file to website cart, Security Issues?

P: n/a
Hi,

Just a little background info,

I am working on a WinForms program that allows users to have an eletronic
version of my catalog, since while they are actually looking at peices they
need to buy they won't also have internet access and be able to go to the
website.

The catalog has a feature to be able to 'save quote' which saves the cart
schema and all of the data to an XML file. Someone brought up the idea of
allowing the customer to be able to log into the website and be able to
upload the data from that XML file to our shopping cart.

The basic concept is that it would read all of the data from the XML file and
then store it in an array. From there it would run throught the
array/collection and check the part numbers and pricing against the database
to make sure the parts exist and if there is any increase/decrease in pricing.
My problem is I really have no idea at this point if there is any sort of
security risk from doing this. Since it is just all going to get loaded into
Session/Cookie/Whatever I wasn't sure if there is any room for someone to do
any sort of Injection or Scripting attack.

So any sort of feedback on how secure/insecure or any risks this could cause
would be much appreciated.

--
Message posted via DotNetMonster.com
http://www.dotnetmonster.com/Uwe/For...t-xml/200603/1
Mar 17 '06 #1
Share this Question
Share on Google+
1 Reply


P: n/a
Your biggest issue is DTD. If you allow the XML to contain DTD's all sorts
of evil things could happen. So when you are parsing your XML file make sure
that you have turned off DTD processing (if possible).

DTD Attacks : Entity expansion attacks, Cross domain access, content model
processing, default attribute injection to show local information, path
discoverability, the list is quite big.

Your second issue is DOS attacks related to parsing algorithms in the reader
code. So things like duplicate attribute checks or things like namespace
declaration check will cost you. One crude way to prevent this is to limit
the input size. If you think a reasonable shopping cart size is no bigger
than 10K or say 50K size, then make sure you limit the size of the file that
is uploaded.

Obviously these are XML specific attacks, there could be others depending on
your upload mechanism.
"Stork via DotNetMonster.com" <u16488@uwe> wrote in message
news:5d677c7160d15@uwe...
Hi,

Just a little background info,

I am working on a WinForms program that allows users to have an eletronic
version of my catalog, since while they are actually looking at peices
they
need to buy they won't also have internet access and be able to go to the
website.

The catalog has a feature to be able to 'save quote' which saves the cart
schema and all of the data to an XML file. Someone brought up the idea of
allowing the customer to be able to log into the website and be able to
upload the data from that XML file to our shopping cart.

The basic concept is that it would read all of the data from the XML file
and
then store it in an array. From there it would run throught the
array/collection and check the part numbers and pricing against the
database
to make sure the parts exist and if there is any increase/decrease in
pricing.
My problem is I really have no idea at this point if there is any sort of
security risk from doing this. Since it is just all going to get loaded
into
Session/Cookie/Whatever I wasn't sure if there is any room for someone to
do
any sort of Injection or Scripting attack.

So any sort of feedback on how secure/insecure or any risks this could
cause
would be much appreciated.

--
Message posted via DotNetMonster.com
http://www.dotnetmonster.com/Uwe/For...t-xml/200603/1

Apr 18 '06 #2

This discussion thread is closed

Replies have been disabled for this discussion.