When I do scan using fortify tool, I got some issues under "XML External Entity Injection".
TransformerFactory trfactory = TransformerFactory.newInstance();
This is the place where it is showing error. I have given the below fix as suggested by fortify
trfactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
trfactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
but still the issues are not fixed. How to fix this issue?
In most cases, XXE attacks can easily be prevented by disabling features making the XML processor weak and the application vulnerable. By analyzing the XML parsing library of the application, features that can be misused can be identified and disabled. DTD and XML external entity features must be disabled.
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data.
XML injection is a result of malicious user input that's used in your XML files. To find XML injection vulnerabilities, look for all instances of user input that are then fed into the web application's XML file.
The safest and possibly most effective way to prevent an XXE attack is to disable external entities, also called DTDs, entirely.
TransformerFactory trfactory = TransformerFactory.newInstance();
trfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
This would be sufficient.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With