eXercise in Messaging and Presence Pwnage

Presented at DEF CON 17 (2009), Aug. 2, 2009, 11 a.m. (50 minutes).

eXtensible Messaging and Presence Protocol, or XMPP, is a is a set of specialized XML-based protocols that are an increasingly popular choice for a variety of middleware applications. It's a sprawling project implemented differently by many popular projects and services, and is used for purposes ranging from chat rooms and video conferencing to control channels for mobile devices. It combines a myriad of confusing buffet-style design options with all of the traditional weaknesses of XML security. XML parsing is a fragile art and many (if not most) implementations are vulnerable to DOS attacks, such as knocking the other users of a chatroom offline. I take a look at how those issues play out in IM clients and open source servers.


Presenters:

  • Ava Latrope - Security Consultant, iSEC Partners
    Ava Latrope is a security consultant for iSEC Partners, with a focus on web application penetration testing. Her areas of interest include source code auditing, embedded device security and network penetration testing. Prior to joining iSEC, Ava worked for several years creating test automation frameworks for web 2.0 companies in the real estate and media industries. Research interests include instant messaging implementation and protocols.

Links:

Similar Presentations: