XML External Entity (XXE) Injection
Description
XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. This can lead to unauthorized access to sensitive data, denial of service, or other malicious activities.
Examples
Insecure Code
scala
val df = DocumentBuilderFactory.newInstance
val db = df.newDocumentBuilder()
db.parse(new InputSource(new StringReader("<?xml version='1.0'?><!DOCTYPE root [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]><root>&xxe;</root>")))Secure Code
scala
val df = DocumentBuilderFactory.newInstance
df.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
val db = df.newDocumentBuilder()
db.parse(new InputSource(new StringReader("<?xml version='1.0'?><root>data</root>")))Remediation
To prevent XXE attacks, set the 'http://apache.org/xml/features/disallow-doctype-decl' feature to true or the 'javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING' feature to true on the DocumentBuilderFactory instance.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0088 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-611 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | XXE, XML Injection |
| OWASP | N/A |