how to implement prevention to XXE or XSS attacks on wso2 IS or apim

Question

i have security problem in wso2 identity studio 5.10,

https://www.exploit-db.com/exploits/40239

(xxe and xss, problem is solved in 5.1 by implementing XML Parsers to detect malicious scripts or entities on XML messages' DTD)

For exemplify:

<!DOCTYPE root
<!ENTITY foo SYSTEM "file:///c:/windows/win.ini">
]>
...
<in>&foo;</in>[

https://wso2.com/technical-reports/wso2-secure-engineering-guidelines

2.4 A4 - XML External Entity (XXE)

mentions that this could have been prevented by adding a DocumentBuilderFactory (DOM Parser) and XMLInputFactory (Stax Parser) if so in where, should i implement those

if not, what should i do?

where does WSO2 do its XML parsing?

score 0 · Answer 1 · answered Mar 04 '21 at 09:18

0

As you have mentioned, the particular issue you have pointed is already resolved.

The XML parsers in the product should be strong enough to mitigate the XXE issues. If you have faced any security issue, please report the issue as mentioned in here.

answered Mar 04 '21 at 09:18

Maduranga Siriwardena

1,341
1
13
27

how to implement prevention to XXE or XSS attacks on wso2 IS or apim

1 Answers1