Skip to content
This repository has been archived by the owner on Sep 6, 2023. It is now read-only.

How to prevent XXE injection when convert xml to object in java #37

Open
jwenjian opened this issue Jun 21, 2019 · 0 comments
Open

How to prevent XXE injection when convert xml to object in java #37

jwenjian opened this issue Jun 21, 2019 · 0 comments
Labels
☕JAVA

Comments

@jwenjian
Copy link
Owner

About XXE

According to OWASP, “An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.”

Prevent XXE injection in Java using JAXB

        JAXBContext jaxbContext = JAXBContext.newInstance(AppConfig.class);

        // Prevent XXE
        XMLInputFactory xif = XMLInputFactory.newFactory();
        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
        xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
        XMLStreamReader xmlStreamReader = xif.createXMLStreamReader(Demo.class.getResourceAsStream("appconfig.xml"));

        Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();

        AppConfig appConfig = (AppConfig) unmarshaller.unmarshal(xmlStreamReader);

        System.out.println(appConfig.toString());

References:
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
☕JAVA
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jwenjian