Introducing XML Validation in Glasswall Halo
Glasswall's Content Disarm and Reconstruction (CDR) technology is designed to neutralize file-based threats by rebuilding files into safe, usable versions. However, XML files present a unique challenge due to their dynamic structure and reliance on external references, like schemas, whilst being hosted in a flat file format, making traditional CDR methods inapplicable.
Recognizing the security risks associated with XML files, Glasswall has developed the XML Validation API - a powerful tool to mitigate these risks while ensuring XML files are secure and well-formed. Part of the broader Glasswall Halo platform, the XML Validation API offers structured risk mitigation by validating XML structure and content against provided schemas such as in XSD and enforces XML specifications outlined in the W3C documentation.
Why XML validation matters
XML files, commonly used in web services such as payments, document storage, and data exchange, are susceptible to numerous security vulnerabilities, including XXE (XML External Entity) attacks, XInclude attacks, and schema manipulation. These threats can lead to significant security breaches, exposing sensitive data or enabling remote code execution. While CDR is effective for many file types, XML files require a different approach.
The XML Validation API was developed in response to specific client needs, particularly around XML log file sanitization and mitigating risks associated with XML parsing. Our research, guided by OWASP’s prior XML work, focused on identifying common XML threats and designing a tool to address them.
Key features of Glasswall's XML Validation API
Schema-based validation
At the heart of the XMLValidation API is schema validation. By using an XSD (XML Schema Definition)file, the API ensures that incoming XML files are well-formed and adhere to the expected structure. This includes validating the content, field types, and other schema-defined rules. This helps prevent malicious content from entering your systems by enforcing strict structural checks.
DTD handling
XML files often include DTDs (Document Type Definitions), an outdated validation method that can introduce security risks. Our API does not alter the original file; instead, if a DTD is encountered, validation fails to prevent conflicts with modern XSD validation and mitigate DTD-based threats.
Detecting known threats and capabilities
The XML Validation API identifies both malicious elements and legitimate XML capabilities, allowing users to specify which XML features to allow or disallow. The API detects common XML-based threats by analyzing structured attack patterns and enforcing policy-driven controls.
Additional security features include detecting "blocked tags," such as "include" within the XInclude namespace, and reading declared encoding to ensure compliance with security policies. If any malicious patterns or unauthorized XML capabilities are detected, validation fails, providing detailed insights into the triggered rules for enhanced security and control.
Policy-driven configuration
XML validation follows apredefined set of rules to ensure security and compliance. It enforces schema validation, checks for blocked tags such as "include" within the XInclude namespace, and reads declared encodings to detect potential risks. This structured approach ensures that XML files meet security standards without requiring user configuration.
Real-time threat mitigation
By integrating XMLValidation into the Glasswall Halo platform, users can process XML files in real-time, ensuring continuous protection without interrupting business operations. The API seamlessly processes XML files, allowing for secure file handling even in complex environments like cross-domain data transfer.
Strengthening security beyond CDR
While Glasswall’s CDR technology offers unmatched file security across a wide range of file types, the introduction of the XML Validation API fills a critical gap for XML files. By enforcing schema validation, preventing DTD vulnerabilities, and incorporating real-time threat detection, this tool enhances your organization's ability to handle XML files securely. With the XML Validation API, organizations can ensure that their XML files not only meet the required structural standards but are also free from known threats, making their security posture more comprehensive and resilient.
