Page tree
Skip to end of metadata
Go to start of metadata

XML is a markup language, not a pure programming language. This means that XML files are usually marked-up “data” files, rather than procedural logic. 


Kiuwan provides native support for processing XML files, i.e off-the-shelf XML rules that will be fired if the application source code contains XML files. 

To apply those rules, Kiuwan uses an XML parser that checks if the XML files are well-formed.

In case an XML file is not well-formed or is not compliant to XML format, Kiuwan will notice it and that file will not be further processed by Kiuwan’s XML rules.

There are some well-known XML files, i.e. standardized XML files broadly used by public frameworks and/or products. As soon as XML is standardized, Kiuwan is able to provide rules that check for specific conditions. 


 Kiuwan provides +20 XML rules addressing specific conditions for Struts1 and XSLT.

To see these rules, go to Models Management > Rules. Select CQM and search for XML in the Language field. 

These XML rules are deactivated by default in CQM (default model). 

Why are the rules deactivated?

Those rules are specific to those frameworks and, if activated, Kiuwan will process every XML file of your application trying to apply them. But If your application is not using any of those frameworks, the XML scan will be a waste of time and resources.

If your application is using any of those frameworks (struts1 and/or xslt), you can activate them and Kiuwan will apply those rules when finding XML files within your application code. 

Apart from these XML-specific rules, there are some other rules (Java, .Net, etc) that read specific XML files (web.xml, .wsdl files, etc.) to accomplish the rule’s goal. 

  • For example, there are rules that check for the misconfiguration of security properties in web.xml descriptors. These rules do process this standard XML file (web.xml) trying to find misconfigurations. 

  • Another example is XML SOAP messages (WSDL files). Kiuwan provides rules that check specific conditions on such files (signatures, encryption, etc,). 

In case you need to check specific conditions for your own XML files, you can build your own rules using Kiuwan APIs.