tainted-saxbuilder-xxe-spring
Billion Laughs Attack
. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)
. Alternatively, the following configurations also provide protection against XXE attacks. parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "")
, enabling both of parser.setFeature("http://xml.org/sax/features/external-general-entities", false)
and parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
, and enabling both of parser.setExpandEntities(false)
and parser.setFeature(“http://xml.org/sax/features/external-parameter-entities”, false)It is also possible to use one of the constructor parameters that will result in a more secure parser by default:
new SAXBuilder(XMLReaders.DTDVALIDATING)or
new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: Java XXE prevention