[JAVA] Invalid XML External Object Reference

What is XXE
XXXE (XML External Entities) is a security vulnerability that occurs during XML parsing, and is an attack that can use external entities to perform malicious actions. primarily malicious XML documents can allow attacks such as access to the server's file system, remote code execution, and denial of service.
- If DTD cannot be completely disabled or disabled, external entities and external document type declarations must be disabled in a unique way for each parser

Solution plan

1. When use DocumentBuilderFactory

.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD,"");
.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

2. When use SAXParser

.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,"");
.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

3. When use SAXParserFactory

.setFeature("http://....", true);

4. When use TransformerFactory

.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

Right ex)

ex)

DocumentBuilderFactory doc = null;

DocumentBuilder docbU = null;

Document docU = null;

doc = DocumentBuilderFactory.newInstance();

doc.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

doc.setFeature("http://xml.org/sax/features/external-general-entities", false);

doc.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

docbU = doc.newDocumentBuilder();

docU = bU.parse(xmlUrl);

😀

Thank you!!

고마워 !!

Search This Blog

yoorijoriinfo

[JAVA] Invalid XML External Object Reference - Secure Coding Guide

Comments

Post a Comment