XML External Entity (XXE) Vulnerability
Description
XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. This can lead to unauthorized access to sensitive data, denial of service, or other malicious activities.
Examples
Insecure Code
scala
val transformer = TransformerFactory.newInstance().newTransformer();Secure Code
scala
val transformerFactory = TransformerFactory.newInstance(); transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); val transformer = transformerFactory.newTransformer();Remediation
Disable external entities by setting ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_SCHEMA to empty strings, and enable secure processing by setting FEATURE_SECURE_PROCESSING to true.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0090 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-611 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | XXE, XML External Entity |
| OWASP | N/A |