Does XML give away the keys to the data warehouse?

"Does XML give away the keys to the warehouse?"

In this ADT article I reflect on some of the implications of XPath injection attacks, and to what extent XML and open data are a danger to developers.

While I don’t claim to have foreseen XPath injection attacks, it does strike me that this security problem is made possible by practices that I and others have always discouraged. One problem is the phenomenon of production XML as database dump. Developers love to create titanic XMLfiles, often as monolithic dumps from databases. Sometimes they deploy such monsters to servers susceptible to the cleverness of attackers.

If someone does compromise the server, they can pilfer one file and have your information warehouse at their hands.

I wrote this article a long time ago, and I actually didn't know if it would be published, because of editorial changes at ADT. I just discovered it by accident yesterday. I'm glad to see it "in print".

[Uche Ogbuji]

via Copia