SAXParserFactory Improperly Configured Against XXE
Description
SAXParserFactory is used without disabling DOCTYPE declarations or external entities, exposing the application to XML External Entity (XXE) attacks, which can lead to file disclosure, SSRF, and denial of service.
Examples
Insecure Code
java
SAXParserFactory spf = SAXParserFactory.newInstance();Secure Code
java
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
// OR
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);Remediation
Set the following features: disallow-doctype-decl: true, external-general-entities: false, external-parameter-entities: false
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0283 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-611 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | XXE, SAXParserFactory |
| OWASP | A05:2021-Security Misconfiguration |