Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Fortify fix for XML External Entity Injection

Tags:

java

fortify

xxe

When I do scan using fortify tool, I got some issues under "XML External Entity Injection".

TransformerFactory trfactory = TransformerFactory.newInstance(); 

This is the place where it is showing error. I have given the below fix as suggested by fortify

trfactory.setFeature("http://xml.org/sax/features/external-general-entities", false); 
trfactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); 

but still the issues are not fixed. How to fix this issue?

like image 800
veera Avatar asked Jul 07 '16 13:07

veera


People also ask

How is XML external entity injection mitigated?

In most cases, XXE attacks can easily be prevented by disabling features making the XML processor weak and the application vulnerable. By analyzing the XML parsing library of the application, features that can be misused can be identified and disabled. DTD and XML external entity features must be disabled.

What is XML external entity injection?

XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data.

What is XML injection?

XML injection is a result of malicious user input that's used in your XML files. To find XML injection vulnerabilities, look for all instances of user input that are then fed into the web application's XML file.

Which of the following security control can be used to mitigate against XXE?

The safest and possibly most effective way to prevent an XXE attack is to disable external entities, also called DTDs, entirely.


1 Answers

TransformerFactory trfactory = TransformerFactory.newInstance();
trfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

This would be sufficient.

like image 51
Kondal Kolipaka Avatar answered Sep 23 '22 23:09

Kondal Kolipaka