Stack Overflow
Stack Overflow

Questions tagged [xxe]

XML External Entity (XXE)

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.

87 questions
1
vote
1 answer

Prevent XXE Attack with XStream

Wanted to know how we can fix Xml EXternal Entity (XXE) vulnerability with Xstream API. Like we can do // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented // Xerces 2 only -…
Aniket Thakur
  • 66,731
  • 38
  • 279
  • 289
1
vote
6 answers

Small fix for CVE-2016-3720 with older versions of jackson-all-1.9.11, and in jackson 2.x which is not patched

The explanation of CVE-2016-3720 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3720 is vague, but reading the code I found the following issues. Even after fixing the issues, the OWasp Dependency Check Tool still reports the jar file…
Peter Lenahan
  • 61
  • 1
  • 6
1
vote
0 answers

How to eliminate Improper Restriction of XML External Entity Reference ('XXE') error?

We recently failed a Veracode security scan due to several CWE-611: Improper Restriction of XML External Entity Reference ('XXE') errors. There have been several questions on this topic asked and answered and I've tried using the solutions provided…
comfortablyNumb
  • 195
  • 1
  • 17
1
vote
2 answers

XDocument.Parse: Avoid replacing XXE references

I'm trying to protect against malicious XXE injections in the XMLs processed by my app. Therefore I'm using XDocument instead of XmlDocument. The XML represents the payload of a web request so I call XDocument.Parse on its string content. However,…
Horia Toma
  • 1,099
  • 2
  • 17
  • 29
1
vote
0 answers

Groovy avoid XML External Entity Injection

I have a problem with xml external entity injection. Working example: def xslt = "\n" + " ]>\n" + " …
Peter
  • 1,011
  • 2
  • 16
  • 39
1
vote
1 answer

Prevent XXE attack on jboss 4.2

Is it possible to prevent an xxe attack on web service deployed on jboss 4.2 somehow? WS is defined by annotation. I can not find any configuration to disable supporting external entities and dtd. In this post (Prevent XXE Attack with JAXB) is a…
n1cr4m
  • 221
  • 2
  • 7
1
vote
1 answer

JAXB XXE attack with Default Parser

This is regarding avoiding XXE attack while using JAXB APIs. I understand that when using JAXB, the default parsing mechanism can be overridden and an alternate SAX Parser can be employed and set entity features to avoid XXE attacks. But would like…
object
  • 796
  • 1
  • 12
  • 21
1
vote
1 answer

XXE vulnerabilities in Javascript

Is it true (or at least makes sense) that one can have a XXE attack on Javascript? This is, when trying to parse XML with JS, does it process external entities? But this parsing is executed client side, am I right? What harm can it do to a…
pnpo
  • 156
  • 1
  • 8
0
votes
2 answers

Validate xml against a given xsd in static block vs non-static

I have two approach of validating my xml against xsd which is stored in resource of my legacy application. Validations are done 1000+ times daily and code runs 24*7. Approach 1: Is to create static SchemaFactory public class XmlValidator { …
likeGreen
  • 1,001
  • 1
  • 20
  • 40
0
votes
0 answers

How to prevent XML external entity attack (XXE attack) on SOAP Request(Jaxws-spring) Webservice

I want to disallow XML external entity attack (XXE attack) on SOAP Request , When consumer team sending a Soap call to us, may they can replacing the XML data with a malicious external entity that references the server’s file /etc/passwd.
Kunu
  • 35
  • 1
  • 6
0
votes
1 answer

TransformerFactory with FOP : Issue when disabling ACCESS_EXTERNAL_DTD

I'm trying to secure a piece of code from XXE attack. The code uses FOP library and mimeFormat is application/pdf. The original code works well: protected static void transformTo(Result result, Source src, String mimeFormat, String…
Sybuser
  • 735
  • 10
  • 27
0
votes
0 answers

How to prevent XXE attacks on dom4j 2.1.1?

We are using the dom4j 2.1.1 library for our application to parse internal and external XML documents. After a code audit, it was discovered that there was a potential XXE vulnerability with dom4j versions <2.0.3 and >2.1.3. However, with dom4j…
Tejas Kumar Y N
  • 1
  • 1
0
votes
2 answers

java.lang.IllegalArgumentException: Not supported: http://javax.xml.XMLConstants/property/accessExternalDTD

I got vulnerabilities flaws from the scan report for Java code, did some research, and found this recommendation to resolve such issues: Improper Restriction of XML External Entity Reference (CWE ID 611) This is the code including the fix for the…
tarekahf
  • 738
  • 1
  • 16
  • 42
0
votes
0 answers

Log4Net XXE-attack vulnerability

I am maintaining a ASP.NET Framework 4.6 application that uses Log4Net (version 1.2.10.0) to store logs. I read that it has XXE vulnerabilities, so I am thinking if I need to upgrade it. As I understand the XXE attacks the user need to be able to…
Olof84
  • 919
  • 4
  • 14
  • 29
0
votes
0 answers

How can I manipulate certain server side responses? Specifically Ajax Responses? XXE Attack? Hybrid DNS Resolution?

I would like to be able to switch back and forth between the real DNS and maybe setting a local DNS entry so I can manipulate AJAX responses for code security checks. For instance if the server responds with Ajax on page 1 that page 2 is not…
Neo
  • 11,078
  • 2
  • 68
  • 79
1 2 3
4
5 6