Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Understanding CAN/CSA-ISO/IEC TR 24772-15: Guidelines for Avoiding XML Security Vulnerabilities in Programming Languages
A Comprehensive Overview of the Canadian Adoption of ISO/IEC TR 24772-15 for XML Language Use and Implementation Safety
CAN/CSA-ISO/IEC TR 24772-15 is the Canadian adoption of the international technical report ISO/IEC TR 24772-15, part of the series Information technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages through language selection and use. This part specifically addresses the XML language and its related technologies (e.g., XPath, XSLT, XML Schema) and provides structured guidance to assist developers, architects, and security reviewers in identifying and mitigating common vulnerabilities that arise when XML processing is used in software applications. The standard is published by the Standards Council of Canada (SCC) and administered by the Canadian Standards Association (CSA Group).
Scope and Purpose
The standard applies to any software system that creates, processes, transforms, or transmits XML data. It covers both the selection of XML-related languages and their safe use within application programming interfaces (APIs) and libraries. The purpose is to reduce the frequency and severity of security incidents caused by vulnerabilities such as XML External Entity (XXE) injection, XPath injection, XML bombs (billion laughs attack), and other processing errors. The guidance is language-agnostic but focuses on the characteristics of XML that can be misused, regardless of the host programming language.
Tip: While this standard is not a compliance requirement for all software, adopting its recommendations during the design and code review phases significantly reduces the attack surface exposed by XML interfaces.
Technical Requirements and Vulnerability Classification
CAN/CSA-ISO/IEC TR 24772-15 does not prescribe strict technical requirements in the sense of mandatory controls; rather, it provides a threat taxonomy and corresponding avoidance techniques. The vulnerabilities are organised into several categories, as adapted from the international original:
- XML Injection – Including entity expansion attacks and malicious document structure.
- XPath and XQuery Injection – Exploitation of dynamic query construction.
- Local or Remote Entity References – Risks associated with DTDs and external resources.
- Denial of Service via Resource Exhaustion – Such as recursive entity expansion.
- Improper Validation of XML Schemas – Leading to type-confusion and bypass of content rules.
- Encoding and Character Set Attacks – Using alternate encodings to evade filters.
| Vulnerability Category | Common CWE ID | Typical Attack Vector | Recommended Mitigation |
|---|---|---|---|
| XML External Entity (XXE) | CWE-611 | Inclusion of external entities in DTD or document | Disable DTD processing or use secure XML parser configurations |
| XPath Injection | CWE-643 | Untrusted input concatenated into XPath expressions | Use parameterized XPath queries or input sanitization |
| XML Bombs (Billion Laughs) | CWE-776 | Recursive entity expansion causing memory exhaustion | Limit entity expansion depth and total size |
| Schema Poisoning | CWE-106 | Maliciously crafted XML Schema overriding expected structure | Validate against a known, trusted schema; reject unknown schemas |
| Encoding Attacks | CWE-172 | Encoding mismatch to bypass security filters | Standardize encoding (e.g., UTF-8) at boundary points |
Implementation Highlights
The standard emphasises several practical measures to embed security into the software development lifecycle when handling XML:
Secure Parser Configuration
Developers must ensure that XML parsers are configured securely by default. This includes disabling DTD processing (unless absolutely required), limiting entity expansion, and turning off external entity resolution. The standard provides a checklist of parser settings for popular languages (Java, .NET, Python, etc.).
Warning: Many XML parsers have insecure defaults. Relying on default behaviour without explicit hardening is the leading cause of XXE vulnerabilities in modern applications.
Input Validation and Whitelisting
All data received in XML format should be validated against a strict schema (XSD). Where dynamic query construction is unavoidable (e.g., XPath queries), input must be validated against a whitelist of permitted characters and structures. The standard discourages the use of string concatenation to build XPath expressions.
Resource Management
To prevent denial‑of‑service attacks, the standard recommends enforcing limits on entity substitution depth, maximum document size, and maximum number of attributes per element. These limits should be documented and tested during performance and security regression testing.
Success: Organizations that implement these resource limits in addition to parser hardening have reported a measurable decrease in security incidents related to XML processing.
Compliance and Auditing Considerations
Conformance to CAN/CSA-ISO/IEC TR 24772-15 is assessed through a review of coding standards, parser configurations, and security testing evidence. The standard does not itself require certification, but it can be referenced as part of a broader compliance framework such as ISO/IEC 27001, PCI DSS, or the Canadian Government’s IT Security Baseline.
Auditors should verify:
- That the organization has adopted the vulnerability categories from the standard into its secure coding guidelines.
- That code reviews or static analysis tools include checks for the specific XML vulnerabilities listed in the report.
- That developer training covers the risks and remedies described in TR 24772-15.
- That parser configuration is documented and enforced through configuration management.
Danger: Skipping regular audits of XML processing code can lead to undetected vulnerabilities that are later exploited through supply chain or data‑theft attacks. Treat TR 24772-15 as a living document; update internal guidelines as the threat landscape evolves.
Relation to Other Standards
CAN/CSA-ISO/IEC TR 24772-15 is the Canadian adoption of the international ISO/IEC TR 24772-15:2014. It aligns with the general principles of ISO/IEC TR 24772-1 and complements other parts of the series that address specific programming languages (e.g., C, Java, Python). For organizations already following ISO/IEC 27034 (application security), this technical report provides detailed XML‑specific guidance that can be incorporated into their security assurance programmes.
FAQs
Q: Is CAN/CSA-ISO/IEC TR 24772-15 mandatory for software sold in Canada?
A: No, it is a technical report providing guidance, not a mandatory standard. However, it may be cited in procurement contracts or as a reference in security compliance frameworks.
A: No, it is a technical report providing guidance, not a mandatory standard. However, it may be cited in procurement contracts or as a reference in security compliance frameworks.
Q: What is the difference between this Canadian adoption and the international ISO/IEC TR 24772-15?
A: The Canadian adoption includes a national foreword and may reference Canadian regulations (e.g., from the Communications Security Establishment). The technical content is identical to the original international report.
A: The Canadian adoption includes a national foreword and may reference Canadian regulations (e.g., from the Communications Security Establishment). The technical content is identical to the original international report.
Q: Does the standard cover JSON or other data formats?
A: No, this part of the TR 24772 series is exclusively focused on XML and associated technologies (XPath, XSLT, XML Schema). For JSON, refer to language-specific parts of the series (e.g., part on JavaScript) or other relevant sources.
A: No, this part of the TR 24772 series is exclusively focused on XML and associated technologies (XPath, XSLT, XML Schema). For JSON, refer to language-specific parts of the series (e.g., part on JavaScript) or other relevant sources.
Q: How often is the standard updated?
A: The international ISO/IEC TR 24772 series is periodically reviewed. Check the CSA Group website for the latest adoption date. The current edition is derived from ISO/IEC TR 24772-15:2014.
A: The international ISO/IEC TR 24772 series is periodically reviewed. Check the CSA Group website for the latest adoption date. The current edition is derived from ISO/IEC TR 24772-15:2014.
© 2026 – This article is for informational purposes and reflects the standard as of publication. For official compliance guidance, consult the full text of CAN/CSA-ISO/IEC TR 24772-15 and seek legal or engineering counsel as appropriate.