Abstract:
The XML standard is often used for communication of software and services, especially on the internet. Because of this, testing XML parsers from various programming languages is important to get a better understanding about their current measures against common XML attacks. Our goal is to create a framework to automatically and reproducibly test XML parsers for known attacks and make it easy for future research to add test cases. The idea is to construct test modules for any kind of standard and executing these tests on individual Docker containers. This thesis focuses on the basic functionality of the framework and an XML testing module, in which the most common attacks on XML are implemented and to which the most commonly used parsers for the most popular programming languages are added. We created results for different versions of one parser, to detect, if parsers are getting more secure out of the box, which some seem to do, while others remain stable in their fails throughout all tested versions. The common direction seems to be, that parsers are getting more secure. The message, regarding the results is, to always check the user guide or common practices to each parsers’ security settings, because the out-of-the-box experience still is not trustworthy.