XMLInputFactory Misconfiguration
Description
XMLInputFactory used without disabling support for external entities or DTD access, which can lead to XXE (XML External Entity) vulnerabilities, exposing files, exfiltrating data, or allowing DoS attacks.
Examples
Insecure Code
java
XMLInputFactory factory = XMLInputFactory.newFactory();Secure Code
java
XMLInputFactory factory = XMLInputFactory.newFactory();
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);Remediation
Set ACCESS_EXTERNAL_DTD to "" and set javax.xml.stream.isSupportingExternalEntities to false
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0766 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-611 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | XXE, XML External Entity |
| OWASP | A05:2021-Security Misconfiguration |