Among the range of XML security standards, XML encryption, XML digital signature, and Canonical XML stand out as foundational standards for securing XML. XML digital signatures support data integrity to ensure that a message hasn’t been modified along the path from sender to receiver. Because an XML document may undergo surface modification by an XML parser, Canonical XML is used to create a canonical representation that is immune to parser modification.
XML encryption can be used in two ways. One is to keep a document secret by encrypting with a public key so that only the intended recipient with his or her private key can read the message. The other, in support of authentication, is to encrypt with a private key so that anyone with the corresponding public key can prove message authenticity.
Yet, all the standards in the world don’t guarantee a secure system. It’s a wild west world out there, and hackers and attackers are busy trying to find vulnerabilities in any Internet-based software. To underscore this reality, this article examined several XML and web services attacks. The bottom line is that only with an awareness of what potential attackers can do, coupled with an understanding of how XML is being used within an organization, can you take the necessary steps to educate network managers and put policies in place to keep your XML applications safe. Putting yourself in the role of attacker and performing constant testing serves as your best defense.