I want to disallow XML external entity attack (XXE attack) on SOAP Request , When consumer team sending a Soap call to us, may they can replacing the XML data with a malicious external entity that references the server’s file /etc/passwd.
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
I want to Disallow any DTD coming on the soap request, please give some idea how I can I resolve this.
Some tutorial its saying at the time of parsing or unmarshalling we an add some flag to true/false, but in this soap request case we are not doing any parsing logic, directly request reaching to service class.
As per my knowledge soap request directly reaching to the Service class , then where and what I have to write to disallow the DTD.
I am using JaxWS-Spring jar,apache-CFX 2.7 and Jaxb for generating my SOAP Webservice API.
