Codenomicon released DEFENSICS for XML, the first commercial product which helps software developers and integrators to find zero-day security problems in XML libraries and applications.
Technologies such as .NET, SOAP, VoIP, Web Services, industrial automation (SCADA) and even banking infrastructure increasingly utilize XML. The new test system provides an added capability for testing common XML-based protocols and file formats more efficiently and intelligently.
The new advancements in XML fuzzing have led to the discovery of vulnerabilities and defects in important applications that are deployed in business-critical environments. Earlier this year, Codenomicon discovered a multitude of vulnerabilities in both open source and commercial XML implementations. The first set of problems published by CERT-FI consisted of vulnerabilities in open source libraries responsible for parsing XML data. The company has provided testing services to selected responsible and proactive commercial players who depend on XML and its reliability. Now, with the availability of DEFENSICS for XML, any company can test their own implementations for similar problems.
Codenomicon DEFENSICS product-line uses a methodology called fuzzing for the proactive elimination of critical security flaws before public exposure. The intelligent fuzzing technique utilized by DEFENSICS takes XML message structures and alters them in ways beyond imagination.
XML communications can easily be corrupted by using a multitude of techniques, for example; breaking the encodings, repeating tags and elements or dropping them, adding recursive structures and special characters or causing overflows. The result can be a DoS situation, data corruption or, in a severe case, hostile code can be executed on a vulnerable host.