Tainted-saxbuilder-xxe-spring
Tainted saxbuilder xxe spring
tainted-saxbuilder-xxe-spring
tainted-saxbuilder-xxe-spring
The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true). Alternatively, the following configurations also provide protection against XXE attacks. parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""), enabling both of parser.setFeature("http://xml.org/sax/features/external-general-entities", false) and parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false), and enabling both of parser.setExpandEntities(false) and parser.setFeature(“http://xml.org/sax/features/external-parameter-entities”, false)It is also possible to use one of the constructor parameters that will result in a more secure parser by default:new SAXBuilder(XMLReaders.DTDVALIDATING)ornew SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: Java XXE preventionLikelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration