Questions tagged [xxe]

XML External Entity (XXE)

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.

87 questions

vote

0 answers

XXE Prevention of Spring Webservice Soap Reaquest

I am using JaxWS-Spring jar and Jaxb for generating my SOAP Webservice API. Now I want to handle XXE prevention, please help how I can do that. applicationContext.xml

asked Sep 02 '23 at 18:31

Kunu

vote

0 answers

Unexpected Veracode error "Improper Restriction of XML External Entity Reference (CWE ID 611)" (XMLInputFactory vulnerable to XXE)

I'm receiving a Veracode error CWE 611, flagging a block with the following code: public static T toObject( JAXBContext jaxbContext, String xml ) throws JAXBException, XMLStreamException { XMLInputFactory xif =…

java owasp veracode xxe

asked May 09 '23 at 15:48

Drew Stevens

vote

1 answer

TransformerFactory still vulnerable to XXE attacks

I have a method like below. I've set the FEATURE_SECURE_PROCESSING to true. public String getString(org.w3c.dom.Node node) throws TransformerException { StringWriter writer = new StringWriter(); TransformerFactory…

java xml dom4j xxe

asked Aug 06 '20 at 22:19

Anil

vote

1 answer

How do I know whether my application is vulnerable to CVE-2020-13692?

The NVD reports PostgreSQL JDBC Driver as having an XXE vulnerability with High severity (7.7), see https://nvd.nist.gov/vuln/detail/CVE-2020-13692. This type of vulnerability has to do with parsing external entities in XML. I cannot find…

postgresql security xxe

asked Jul 23 '20 at 21:10

Anonymous User

vote

1 answer

Basic Working Example of an XXE Attack in HTML part 2

Follow up to this: Basic Working Example of an XXE Attack in HTML seemed easier to make this follow up than to try and shoehorn my progress into the previous question. I thought better to allow the correct answer to that query to appear correct…

html xml security xxe

asked Jan 27 '20 at 18:41

bgenchel

3,739
4
19
28

vote

1 answer

How to fix XXE vulnerability in XPathDocument use in C#?

Fortify shows XXE vulnerabilty exists for the below code in C#: XPathDocument doc = new XPathDocument(filePath); Kindly help me how to fix the issue

c# .net fortify xxe

asked Jan 08 '20 at 07:23

ashish

vote

0 answers

how to convert into simple string from soapBody.getPayloadSource()

i want to try converting soapbody object to simple string xml using transformer but its give me XML entity injection (xxe) TransformerFactory tf = TransformerFactory.newInstance(); Transformer transformer = tf.newTransformer(); StringWriter…

java security soap owasp xxe

asked Dec 09 '19 at 10:00

Hitesh

vote

0 answers

Cannot create XMLStreamReader or XMLEventReader from a DOMSource

I want to Unmarshaller of XMLStreamReader object but its give me error . my code like :- SoapHeader soapHeader = ((SoapMessage) message).getSoapHeader(); Unmarshaller unmarshaller = null; XMLInputFactory xif =…

java security jaxb ws-security xxe

asked Dec 05 '19 at 10:07

Hitesh

vote

1 answer

how to Prevent XML Entity Injection with JAXB

I refer Prevent XXE Attack with JAXB this link, but still kiwan tool showing me very heigh VULNERABILITIES in xif.createXMLStreamReader(soapHeader.getSource()) line, So please help me if anyone know. My code is below like: SoapHeader soapHeader =…

java security jaxb ws-security xxe

asked Nov 06 '19 at 07:26

Hitesh

vote

0 answers

How to disable DTD processing to prevent XXE attack in MSSOAP.SOAPClinet30 in Classic ASP

I am using MSSOAP.SOAPClinet30 to make SOAP Web service requests using Classic ASP and which returns XML and it has an external entity which it processes. SET objSoapClient = Server.CreateObject("MSSOAP.SoapClient30") …

xml vbscript asp-classic soap-client xxe

asked Oct 14 '19 at 06:09

H_H

1,460
2
15
30

vote

0 answers

Libxml_disable_entitiy_loader(false); Still no external entities loaded

I've been trying to mimic the XXE vulnerability on my virtual machine for learning purposes. However, I think I misunderstand something. When I call libxml_disable_external_entities(false); I would think that external entities are now loaded,…

php xml libxml2 xxe

asked Oct 04 '19 at 13:20

CookieAndPizza

vote

1 answer

Orbeon Forms: is there a way to disable the processing of external entities to avoid XXE attacks?

After a PenTest, the Security Team found a possibility of XXE attack when submitting an Orbeon form through an HTTPS request, from our web application. They were able to intercept the following XML:

orbeon xxe

asked Jun 21 '19 at 12:27

d.lacher

vote

1 answer

XMLStreamReader / InputStream xxe vulnerability showing up in Checkmarx report

These lines of code are causing an xxe vulnerability to show up in a Checkmarx report: InputStream is = connection.getInputStream(); XMLInputFactory factory = XMLInputFactory.newInstance(); XMLStreamReader reader =…

java inputstream checkmarx xmlstreamreader xxe

asked Dec 26 '18 at 16:07

Artanis

vote

0 answers

Is XmlTextReader susceptible to XXE attacks?

We read our XML template files using System.Xml.XmlTextReader. If there is XXE in the XML file we're reading, will that XXE be processed? If so, major security problem. Can it be turned off? thanks - dave

c# xmltextreader xxe

asked Aug 15 '18 at 14:48

David Thielen

28,723
34
119
193

vote

1 answer

How can I protect .NET Web Services against XXE exploits?

I am trying to protect a .NET web service against XXE exploits. For the underlying SOAP message is XML, it is potentially at risk. A way to prohibit DTD processing for XML documents can be found here and here. However, the XML parsing of the SOAP…

asp.net xml soap xxe

asked Nov 30 '16 at 14:23

Hermann Schachner

Prev 1 2

4 5 6 Next