Security issues with electronic invoices
a day ago
- #eInvoicing
- #XXE Vulnerabilities
- #XML Security
- The EU's eInvoicing Directive (2014/55/EU) introduces standardized electronic invoices in XML format, but with issues like complexity, lack of true standardization, and security problems.
- XML format has inherent security flaws, notably XXE vulnerabilities, with Java standard library and Saxon library being commonly used and insecure by default.
- XSLT 2.0 is required for EN16931 standards validation, but only Saxon (vulnerable to XXE by default) is freely available for XSLT 2.0 implementation.
- Security test suite for electronic invoices is provided, highlighting vulnerabilities in various software products.
- Accessing EN16931 standards is difficult, with only parts one and two available free of charge, and the rest requiring payment.
- List of security vulnerabilities discovered in electronic invoicing software, including XXE and blind XXE vulnerabilities in multiple products.
- Recommendation to use Mustang instead of ZUV, noting Mustang's vulnerability to XXE in versions before 2.16.3.