XML External Entity (XXE) Vulnerability
Description
XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. This rule detects the creation of an XMLStreamReader without properly restricting XML external entity references.
Examples
Insecure Code
scala
val factory = XMLInputFactory.newFactory
val reader = factory.createXMLStreamReader(new StringReader(xml))Secure Code
scala
val factory = XMLInputFactory.newFactory
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false)
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false)
val reader = factory.createXMLStreamReader(new StringReader(xml))Remediation
Set the SUPPORT_DTD property to false and the IS_SUPPORTING_EXTERNAL_ENTITIES property to false on the XMLInputFactory instance before creating an XMLStreamReader.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0092 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-611 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | XXE, XML External Entity |
| OWASP | N/A |