eXercise in Messaging and Presence Pwnage

Presented at DEF CON 17 (2009), Aug. 2, 2009, 11 a.m. (50 minutes)

eXtensible Messaging and Presence Protocol, or XMPP, is a is a set of specialized XML-based protocols that are an increasingly popular choice for a variety of middleware applications. It's a sprawling project implemented differently by many popular projects and services, and is used for purposes ranging from chat rooms and video conferencing to control channels for mobile devices. It combines a myriad of confusing buffet-style design options with all of the traditional weaknesses of XML security. XML parsing is a fragile art and many (if not most) implementations are vulnerable to DOS attacks, such as knocking the other users of a chatroom offline. I take a look at how those issues play out in IM clients and open source servers.

Presenters:

• Ava Latrope - Security Consultant, iSEC Partners
  Ava Latrope is a security consultant for iSEC Partners, with a focus on web application penetration testing. Her areas of interest include source code auditing, embedded device security and network penetration testing. Prior to joining iSEC, Ava worked for several years creating test automation frameworks for web 2.0 companies in the real estate and media industries. Research interests include instant messaging implementation and protocols.

Links:

• https://defcon.org/html/defcon-17/dc-17-speakers.html#Latrope
• https://infocon.org/cons/DEF CON/DEF CON 17/DEF CON 17 video and slides/DEF CON 17 - Ava Latrope - eXercise in Messaging and Presence Pwnage - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=0GW3rEqZ5pE

Similar Presentations:

• Black Hat Europe 2015 / How to Break XML Encryption - Automatically
• DeepSec 2015 „DeepSec No. 9“ / How to Break XML Encryption - Automatically
• AppSec USA 2016 / Lightning Talk - Assessing and Exploiting XML Schemas Vulnerabilities