Security issues with electronic invoices

(invoice.secvuln.info)

91 points todsacerdoti | 1 comments | 12 Dec 25 20:28 UTC | HN request time: 0.296s | source

Show context

tnorgaard ◴[12 Dec 25 21:41 UTC] No.46249333[source]▶

This talk seems set out to prove that "XML is Bad". Yes XML-DSig isn't great with XPaths, but most of these attack vectors has been known for 10 years. There is probably a reason why the vulnerabilities found where in software not commonly used, e.g. SAP. Many of the things possible with XML and UBL simply isn't available in protobuf, json. How would you digitally sign a Json document and embed the signature in the document?

The article nor the talk appear to reference the XML standard that EN 16931 is built upon: Universal Business Language, https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=... - which is freely available. Examples can be found here: https://github.com/Tradeshift/tradeshift-ubl-examples/tree/m... . It is a good standard and yes it's complex, but it is not complicated by accident. I would any day recommend UBL over IDOC, Tradacom, EDIFACT and the likes.

replies(6): >>46250010 #>>46250248 #>>46250356 #>>46250567 #>>46251591 #>>46253809 #

michaelt ◴[13 Dec 25 00:02 UTC] No.46250567[source]▶

>>46249333 #

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

> How would you digitally sign a Json document and embed the signature in the document?

Embedding a signature into the same file is easy enough.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v0.9.7 (GNU/Linux)

iEYEARECAAYFAjdYCQoACgkQJ9S6ULt1dqz6IwCfQ7wP6i/i8HhbcOSKF4ELyQB1

oCoAoOuqpRqEzr4kOkQqHRLE/b8/Rw2k =y6kj

-----END PGP SIGNATURE-----

replies(1): >>46252578 #

1. isbvhodnvemrwvn ◴[13 Dec 25 06:41 UTC] No.46252578[source]▶

>>46250567 #

Or use something similar to jwts, you normalize the document, sign the hash, wrap the original document with metadata and include the signature.

↑