Saturday, July 11, 2009

Justification for constraining your XML Types

As part of work for a client and some training I need to perform in the future, I have been spending time on hacking of web services. A simple mechanism that is often unchecked is the use of types that have no restrictions within XML Schema and WSDL. An example is simple schema below where the Social Security Number is not restricted in length and type:

<xsd:element name="SSN" type="xsd:string"/>

If this element is used as a part of a SQL Query in a Web Services, there is the potential for SQL Injection attacks. SQL Injection is where hackers look for elements that are not constrained and thus can take advantage of the un-restricted size to insert additional sql. A simple mechanism to reduce this is to restrict the element via simpleType.

<xsd:element name="SSN" type="SSNType"/>

<simpleType name="SSNType">
<restriction base="string">
<minLength value="9"/>>
<maxLength value="11"/>
</restriction>
</simpleType>

This then reduces the overall buffer available for the hacker between 9 and 11 characters.