Questions tagged [xxe]

XML External Entity (XXE)

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.

87 questions

votes

1 answer

XML External Entity Injection: Hp Fortify issue in java 1.6

I was trying to fix XEE issue and have tried other options but won't work. Would be great if there were any pointers. Below is my code snippet.. ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); Source xmlSource = new…

asked Sep 26 '18 at 13:50

Thibbesh Gowda

votes

2 answers

XML External Entity injection in xsd upload

I am uploading a xsd in my j2ee based web application which is genrating java classes and that is used later for processing. Uploading xsd has been identified as exploitable for XML External Entity injection. I searched lot of places and…

xml security owasp xxe

asked Aug 29 '18 at 09:32

amarzeet

votes

1 answer

How to fix this Unmarshal Exception with JAXB that arose on fixing XXE vulnerabilites?

The format of the XML Message we supposed to process is so: .... …

java xml jaxb xxe

asked Aug 27 '18 at 14:44

Debabrata Roy

votes

0 answers

Demo XXE(XML External Entity) attack - Spring Boot

I want to perform XXE attack, I followed this tutorial https://grokonez.com/java-integration/convert-java-object-intofrom-xml-spring-boot and tried to attack by using entity injection xxe.xml

security spring-boot xml-parsing xxe

asked Aug 04 '18 at 02:57

Thengocphan

votes

1 answer

XML External Entities (XXE) attack failing

Please give me a hint why my code is NOT vulnerable to XXE. code: $text = $_POST['textarea']; $doc= new DOMDocument(); $doc->loadXML($text); echo $doc->textContent; testcase 1: Hello world result 1: Hello world So…

php windows xxe

asked Jul 24 '18 at 17:06

Riwi

votes

3 answers

Resolving XXE for Oracle DomParser

Here is the code snippet for a DomParser which I am using, The DomParser which I am using is of Oracle. import oracle.xml.parser.v2.DOMParser; DOMParser domParser = new DOMParser(); domParser.parse(new StringReader(xmlPayload)); Document…

java xml security xml-parsing xxe

asked May 17 '18 at 07:55

User27854

votes

1 answer

Testing Scala Play behaviour when posting DTD/XXE XML

I am trying to test my Scala Play application through a Unit Test, but the behaviour I am experiencing in my test is different to the behaviour I experience when sending a POST request to my route through Postman. I am trying to test that the Scala…

xml scala testing playframework xxe

asked Apr 26 '18 at 14:57

James Whiteley

3,363
1
19
46

votes

1 answer

Foxpro: Is it possible to disable external entity resolution?

Based on the documentation found here: https://msdn.microsoft.com/en-us/library/we9s91f8(v=vs.71).aspx It appears that Microsoft Visual FoxPro is capable of conducting DTD parsing from external sources. "When you import XML using XMLTOCURSOR( ),…

xml visual-foxpro foxpro xxe

asked Aug 07 '17 at 18:56

MrSynAckSter

1,681
1
18
34

votes

0 answers

XXE prevention in Java 1.6

Fellow programmers, I'm working on a java 1.6 application that needs to be cleared of several fortify issues. The most problematic so far has been XML External Entity because there seems to be no countermeasures in 1.6. Even the OWASP cheatsheet…

java security xml-parsing dtd xxe

asked May 05 '17 at 18:11

rbolio

votes

1 answer

XXE prevention via WSDLReader

I'm using WSDLReader.readWSDL() to create a Wsdl Definition. I want to know if there is a flag available in javax.wsdl.WSDLReader to check for XXE attack in the WSDL ?

wsdl xxe

asked Dec 22 '16 at 10:15

Ravi

votes

1 answer

Validate DTD and XXE in XML using libxml2 objective c

]> In my project i want to validate whether the XML contains DTD or not. Currenly i am using Libxml parser to parse the XML.…

ios objective-c libxml2 dtd xxe xml

asked Jan 24 '16 at 13:33

user4601102

votes

1 answer

XML External Entity Vulnerability DoS case: when the expansion happens?

I am working on an app which takes XML file as input and then processes it. We found out that the app is vulnerable to XXE DoS attack, namely famous Billion Laughs case. Before the file is processed, it is validated against schema. So, my question…

xml validation batch-file denial-of-service xxe

asked Dec 22 '14 at 12:29

Russell'sTeapot

Prev 1 2 3 4 5