XML External Entity (XXE) Vulnerability
Description
XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. This can lead to unauthorized access to sensitive data, denial of service, or other malicious activities.
Examples
Insecure Code
scala
val reader = XMLReaderFactory.createXMLReader
reader.parse(new InputSource(new StringReader(xmlString)))Secure Code
scala
val reader = XMLReaderFactory.createXMLReader
reader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)
reader.parse(new InputSource(new StringReader(xmlString)))Remediation
Set the FEATURE_SECURE_PROCESSING feature to true on the XMLReader instance to prevent XXE attacks.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0091 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-611 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | XXE, XML Injection |
| OWASP | N/A |