Abstract:
XML is a widely used format in web technologies, providing a flexible way to represent and exchange structured data across different systems. However, it is a target for various security threats, including Denial of Service (DoS) attacks and XML External Entity (XXE) attacks. To address these concerns, this thesis investigates the security of XML parsers under different configuration settings. For this purpose, a testing framework was extended to allow the parsers to be configured and systematically evaluated. All-pairs testing is employed to assess the interactions between different configuration options, ensuring that potential vulnerabilities arising from option combinations are identified. Furthermore, the framework was enhanced by adding support for additional programming languages and parser versions, increasing the coverage and relevance of the evaluation. The results show that disabling external entities and network access in parsers is generally effective in improving security and preventing common attacks. However, some options produce inconsistent results across different parsers, highlighting variability in implementation and security measures. In particular, Java and C++ parsers often do not provide secure default configurations, leaving them more vulnerable, whereas parsers in other languages typically offer safer defaults.