yoorijoriinfo

  What is XXE  XXXE (XML External Entities) is a security vulnerability that occurs during XML parsing, and is an attack that can use external entities to perform malicious actions. primarily malicious XML documents can allow attacks such as access to the server's file system, remote code execution, and denial of service. - If DTD cannot be completely disabled or disabled, external entities and external document type declarations must be disabled in a unique way for each parser Solution plan 1. When use DocumentBuilderFactory .setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD,"");    .setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");   2.  When use  SAXParser  .setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,"");  .setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");   3.  When use  SAXParserFactory  .setFeature("http://....", true);  4.  When use  TransformerFactory .setAttribut...

  Security weakness that allows access or identification of system resources such as files and servers through unverified external input values, allows arbitrary access to the resources protected by the system through input value manipulation. By utilizing path manipulation and resource insertion weaknesses, attackers can cause service failures due to modification and deletion of resources, leakage of system information, and conflicts between system resources. That is, through path manipulation and resource insertion, an attacker can acquire disallowed rights to change or execute files related to settings. Wring ex) How to solve? If an external input is used as an identifier for a resource (file, port of socket, etc.), ensure that it undergoes appropriate verification or is selected from a predefined appropriate list. In particular, if the external input is a file name, a character at risk of a directory traversal attack (" / ￦...").. Use a filter that can remove etc. Right e...