Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Veracode XML External Entity Reference (XXE)

Tags:

java

security

xxe

veracode

I've got the next finding in my veracode report: Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611) referring the next code bellow

...

  DocumentBuilderFactory dbf=null;      
  DocumentBuilder db = null;    
  try {         
        dbf=DocumentBuilderFactory.newInstance();  
        dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); 
        dbf.setExpandEntityReferences(false); 
        dbf.setXIncludeAware(false);        
        dbf.setValidating(false); 
        dbf.newDocumentBuilder();   
        InputStream stream = new ByteArrayInputStream(datosXml.getBytes());
        Document doc = db.parse(stream, "");

...

I've been researching but I haven't found out a reason for this finding or a way of making it disappear. Could you tell me how to do it?

like image 736
Jose Miguel Avatar asked Jun 22 '15 11:06

Jose Miguel

People also ask

How XML external entity XXE attacks are performed?

XML External Entity attack (XXE attack) is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

What does XML external entities refer to?

XML external entities are a type of custom XML entity whose defined values are loaded from outside of the DTD in which they are declared. External entities are particularly interesting from a security perspective because they allow an entity to be defined based on the contents of a file path or URL.

What is a limitation of XML external entity XXE attacks?

XXE can only be used to obtain files or responses that contain “valid” XML. XXE cannot be used to obtain binary files.

What does an XML external entities attack do?

In a nutshell, an XML External Entities attack, or XXE injection, is an attack that takes advantage of XML parsing vulnerabilities. It targets systems that use XML parsing functionalities that face the user and allow an attacker to access files and resources on the server.

1 Answers

Have you seen the OWASP guide about XXE?

You are not disabling the 3 features you should disable. Most importantly the first one:

dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
like image 177
DelGurth Avatar answered Oct 12 '22 16:10

DelGurth
Sign in to Comment

Related questions

Getting Jersey 1.x and 2.x to coexist
How can i map multiple classes to one table in hibernate?
How to check if user input is String, double or long in Java
How to print unique alphabet from two strings using Java?
Java 8 : Map Lambda expression
Upgrading Java 7 to Java 8 using GWT 2.6
Why is ServletServerContainerFactoryBean casuing problems when testing?
Android gradle modules with the same name
Spring 3.2.x with Java 8
NullPointerException on return new[]
Spring Form Validation with Two Objects
Under what scenario Map.Entry returned by map.entrySet will be NULL
Apache Commons Unzip method?
Java list files in a folder avoiding .DS_Store
Executing Sample Flink Program in Local
Unable to understand Class object
Java prevent calling private or protected methods outside of class
Compiling Java with Ant - keep getting error JNI error has occurred
Build Flavours for Java project
Query all items in DynamoDB from a given hash key with a hash-range schema using java sdk

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!