Stack Overflow
Stack Overflow

Questions tagged [xxe]

XML External Entity (XXE)

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.

87 questions
47
votes
1 answer

Prevent XXE Attack with JAXB

Recently, we had a security audit on our code, and one of the problem is that our application is subject to the Xml eXternal Entity (XXE) attack. Basically, the application is a calculator that receives inputs as XML, through a Web-Service. Here is…
Romain Linsolas
  • 79,475
  • 49
  • 202
  • 273
21
votes
1 answer

Clarifications on XXE vulnerabilities throughout PHP versions

I post a question here as a last resort, I have browsed the web and went through many attempts but did not succeed. Replicating a XXE attack is what I am trying to do, in order to prevent them, but I cannot seem to get my head around the way PHP…
FMCorz
  • 2,586
  • 1
  • 21
  • 18
15
votes
8 answers

org.xml.sax.SAXNotRecognizedException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized

I want to prevent a XXE attack in my project. It's old api project which runs on java 7 (no maven) and jboss-as-7 server. But during the execution i get the error: org.xml.sax.SAXNotRecognizedException: Property…
Abhishek Singh
  • 532
  • 1
  • 5
  • 16
12
votes
2 answers

How to Prevent XML External Entity Injection on TransformerFactory

My problem: Fortify 4.2.1 is marking below code as susceptible for XML External Entities attack. TransformerFactory factory = TransformerFactory.newInstance(); StreamSource xslStream = new StreamSource(inputXSL); Transformer transformer =…
Ravi Ranjan
  • 740
  • 2
  • 10
  • 31
9
votes
5 answers

Fortify fix for XML External Entity Injection

When I do scan using fortify tool, I got some issues under "XML External Entity Injection". TransformerFactory trfactory = TransformerFactory.newInstance(); This is the place where it is showing error. I have given the below fix as suggested by…
veera
  • 317
  • 2
  • 3
  • 14
8
votes
2 answers

asp.net .asmx web service ishow XXE vulnerability - External DNS

We have uncovered an XML External Entity vulnerability in our asp.net asmx web service. We are testing an asp.net .asmx web service using burp suite, to check for XML External Entity Processing vulnerabilities.…
user10102158
  • 81
  • 1
  • 3
7
votes
1 answer

Is the gemfile.lock file needed in a Jekyll site hosted with Github Pages?

Lately I've gotten into Jekyll for building documentation sites and hosting them on Github Pages. I understand Github Pages has a very limited list of what is allowed plugin wise. While doing some vulnerability testing I found out the file…
DᴀʀᴛʜVᴀᴅᴇʀ
  • 7,681
  • 17
  • 73
  • 127
7
votes
1 answer

XXE: Improper Restriction of XML External Entity Reference With XDocument

So I am running into an issue when I run a security scan on my application. It turns out that I am failing to protect against XXE. Here is a short snippet showing the offending code: static void Main() { string inp =…
Bitz
  • 1,128
  • 11
  • 33
7
votes
2 answers

Veracode XML External Entity Reference (XXE)

I've got the next finding in my veracode report: Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611) referring the next code bellow ... DocumentBuilderFactory dbf=null; DocumentBuilder db = null; try { …
Jose Miguel
  • 355
  • 2
  • 6
  • 18
5
votes
1 answer

Is WCF vulnerable to XXE attacks

Are WCF services vulnerable to XXE attacks? If yes are there ways to prevent it? Recently we had a security audit of our application in my company and they have highlighted that they were able to send extra content into an API (in the form of…
Sarath KCM
  • 51
  • 1
  • 2
5
votes
2 answers

HP fortify XML External Entity Injection

Hp fortify shows me a XML external entity injection on the below code: StringBuilder sb = new StringBuilder(); StringWriter stringWriter = new StringWriter(sb); xmlSerializer.Serialize(stringWriter, o); XmlDocument xmlDoc = new…
user3089816
  • 191
  • 1
  • 8
  • 21
5
votes
1 answer

How to disable XXE in libxml2in C?

Requirement: When i pass the following request to my application, 1) How to do XML validation on such input xml which is risk 2) How to disable XXE in libxml2 i.e. should not parse the ENTITY field
Praveen PVS
  • 91
  • 3
  • 7
4
votes
0 answers

DocumentBuilderFactory cannot setFeature FEATURE_SECURE_PROCESSING

I am trying to create an instance of DocumentBuilderFactory with FEATURE_SECURE_PROCESSING set to true. I keep getting ParserConfigurationException when I am trying to setFeature. DocumentBuilderFactory factory =…
Volodymyr Prysiazhniuk
  • 1,897
  • 4
  • 22
  • 33
4
votes
1 answer

Is SAXParserFactory susceptible to XXE attacks?

We read our XML template files using javax.xml.parsers.SAXParserFactory. If there is XXE in the XML file we're reading, is there a way to turn off processing that? thanks - dave
David Thielen
  • 28,723
  • 34
  • 119
  • 193
4
votes
0 answers

Improper Restriction of XML External Entity Reference - Java with DocumentBuilderFactory

I've been trying to resolve the Veracode "Improper Restriction of XML External Entity Reference" flaw. I looked up the issue online and a found a few suggestions on how to resolve it, namely: Set the features mentioned in the OWASP cheat sheet Set…
EH Khiari
  • 335
  • 1
  • 4
  • 12
1
2 3 4 5 6