Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Injecting Java Bytecode in XML for harmful purposes

So I have been thinking whether there is a way to send an XML such that the XML contains code in (bytecode) that will be unintentionally executed by the JVM. I am using java so I think uncompiled code will not work. I think I need to inject bytecode in the XML to trick the JVM? I want to try to make sure that the web service that I am building is secure. I am using JAXB for xml marshalling unmarshalling and Jersey as the web service handler.

like image 702
denniss Avatar asked Jul 10 '26 11:07

denniss


1 Answers

Unintentionally? I don't think so.

The JAXB marshaller is going to deserialize XML values into the state of a given object, but the class and its behavior will be decided by you. I don't see sending raw bytecode in the XML and doing anything harmful with it.

You could send a JSON object that your Java object could execute using Rhino, but that's hardly unintentional.

Your service might have other security issues, but Java byte code injection attack isn't one of them.

You should be validating all data sent to you before binding, anyway.

like image 158
duffymo Avatar answered Jul 12 '26 02:07

duffymo



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!