Questions tagged [xxe]

XML External Entity (XXE)

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.

87 questions

votes

1 answer

How to assign XML DTD entity to attribute value

My XML: ]> …

asked Jan 18 '21 at 23:12

FunnyDeadCat

votes

1 answer

XXE billion laughs attack seems not to be mitigated as expected by the Sonar recommended solution to prevent XXE attacks

XXE security threat is currently no. 4 in the OWASP top ten web application security threats list, so I would expect that the Java standard XML libraries would prevent such attacks. However, when I use the Validator class in a way recommended by…

java security sonarqube ddos xxe

asked Sep 03 '20 at 10:22

John Donn

1,718
2
19
45

votes

1 answer

Setting secure processing in TransformerFactory leads to Problems in XSL

I am generating a PDF document with XML file as input using Apache FOP 2.4. To prevent XXE-Attacks I need to set the secure processing feature (FEATURE_SECURE_PROCESSING) in TransformerFactory: InputStream xslTransformer =…

java xml xsl-fo apache-fop xxe

asked Nov 25 '19 at 11:36

greggor

votes

3 answers

how to protect xml requests on a jersey server?

I currently have a simple xml endpoint (example) created using the jersey-server 1.1 framework. it consumes and produces XML using the following…

java xml jersey jax-rs xxe

asked May 29 '19 at 20:09

user2950720

votes

1 answer

XML External Entity (XXE) - External Parameter entities and External General Entities vulnerabilities

To Prevent XXE attacks, I have disabled the features below as recommended for Java DocumentBuilderFactory - https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet. …

java xml security xmlsec xxe

asked Jan 21 '19 at 06:23

Venkata Rami Reddy

votes

1 answer

How to disable XInclude when parsing XML?

I have been given to understand that XInclude is a potential vulnerability when receiving XML from untrusted sources. See https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java The XML which I expect from external…

java xml xxe

asked Nov 06 '18 at 08:53

paul

13,312
23
81
144

votes

0 answers

Improper_Restriction_of_XXE_REF

I'm new to using the Checkmarx tool and just checking for security flaws in code in general. I have a method which is supposed to read from an input stream. The method works, however I am getting XXE and SSRF errors. public static String…

java checkmarx xxe

asked Apr 04 '18 at 10:02

Tuss

votes

0 answers

How to prevent XXE attack (XmlSerializer in .Net)

We had a Veracode security audit on some old legacy apps and found that we are vulnerable to an External Entity (XXE) attack. I have fixed most of the problems but I've ran across some code I have no idea how to deal with and I am hoping someone…

xml vb.net xml-parsing veracode xxe

asked Apr 15 '16 at 15:03

comfortablyNumb

votes

1 answer

Preventing XML External Entity Injection in Soap Based Web Services under JBoss EAP 5.0.1

We are using JBoss EAP 5.0.1 with JBoss WS 3.0.4 and we are trying to find a solution for preventing XML External Entity injection. How to fix this other than upgrading it to a higher version?

xml jboss xxe

asked Jan 03 '15 at 19:51

M Asuncion

votes

1 answer

Are XML parsers safe from XML External Entity (XML) injection in .NET Core?

I am trying to determine if a .NET Core application is vulnerable to XML External Entity (XXE) injection attacks. I read this OWASP XXE Prevention Cheat Sheet which tells me, for example, that XmlDocument is unsafe by default in .NET Framework…

.net security .net-core xxe

asked Apr 03 '20 at 21:25

srk

1,625
1
10
26

votes

1 answer

Do I have to set XMLResolver to null for preventing XXE attacks?

I am trying to reproduce XXE scenario which is posted in the following link https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md As I read from the documentation, the following code block…

c# xml xmldocument .net-framework-version xxe

asked Mar 27 '19 at 08:06

Ozgur Tuzgen

votes

1 answer

Veracode XML External Entity Reference (XXE) unmarshaling org.w3c.dom.Element

I am getting an XML External Entity Reference (XXE) vulnerability from the code scan audit(Veracode) while unmarshaling an Element. public static T unMarshal(org.w3c.dom.Element content, Class clazz) throws JAXBException { JAXBContext…

java xml xml-parsing jaxb xxe

asked Oct 16 '17 at 15:56

siddharthdg

votes

0 answers

How to prevent XML External Entity attack with JDK6

My application uses JDK6. I have to fix the XXE vulnerability in my code, able to find solution as below. But the below code works only with JDK7. I have a limitation to fix this without upgrading to JDK7. The code I found as fix…

java security static-code-analysis xxe

asked Mar 23 '17 at 20:14

Radhakrishna Sharma Gorenta

1,498
2
12
26

votes

1 answer

How to disable External Entity Resolution in xerces C++ DOMLSParser

We are using Xerces C++ DOMLSParser. I want to disable External Entities but could not find anything for DOMLSParser. How to disable Loading External Entities to prevent XXE attacks?

xml xerces xerces-c xxe

asked Dec 14 '16 at 09:53

Chandu

1,837
7
30
51

votes

1 answer

XXE and BILLION LAUGHS

whether xxe and billion laughs is possible using xmlpullfactory?I have tried below xml code ]> &js; parsed above xml…

java security doctype xml-entities xxe

asked May 06 '15 at 15:01

user3748225

Prev 1

3 4 5 6 Next