XML parsing vulnerable to XXE (SAXParser)
Attack
XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source.
Risk 1: Expose local file content (XXE: XML eXternal Entity)
]>&xxe;
[...] ]>&lol9;
Solution
In order to avoid exposing dangerous feature of the XML parser, you can do the following change to the code.
Vulnerable Code:
SAXParser parser = SAXParserFactory.newInstance().newSAXParser(); parser.parse(inputStream, customHandler);
The following snippets show two available solutions. You can set one feature or both.
Solution using "Secure processing" mode:
This setting will protect you against Denial of Service attack and remote file access.
SAXParserFactory spf = SAXParserFactory.newInstance(); spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); SAXParser parser = spf.newSAXParser(); parser.parse(inputStream, customHandler);
Solution disabling DTD:
By disabling DTD, almost all XXE attacks will be prevented.
SAXParserFactory spf = SAXParserFactory.newInstance(); spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); SAXParser parser = spf.newSAXParser(); parser.parse(inputStream, customHandler);