XML External Entity (XXE) Vulnerability
Description
XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. This rule detects the creation of a SAXParser without securing it against XXE attacks.
Examples
Insecure Code
scala
val sf = SAXParserFactory.newInstance
val parser = sf.newSAXParser
parser.parse(...)Secure Code
scala
val sf = SAXParserFactory.newInstance
sf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)
sf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
val parser = sf.newSAXParser
parser.parse(...)Remediation
Set the FEATURE_SECURE_PROCESSING feature to true on the SAXParserFactory and disallow DOCTYPE declarations by setting the http://apache.org/xml/features/disallow-doctype-decl feature to true.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0089 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-611 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | XXE, XML Injection |
| OWASP | N/A |