xxe

Veracode XML External Entity Reference (XXE)

天大地大妈咪最大 提交于 2020-05-08 03:52:11
问题 I've got the next finding in my veracode report: Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611) referring the next code bellow ... DocumentBuilderFactory dbf=null; DocumentBuilder db = null; try { dbf=DocumentBuilderFactory.newInstance(); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); dbf.setExpandEntityReferences(false); dbf.setXIncludeAware(false); dbf.setValidating(false); dbf.newDocumentBuilder(); InputStream stream = new ByteArrayInputStream

Veracode XML External Entity Reference (XXE)

a 夏天 提交于 2020-05-08 03:51:59
问题 I've got the next finding in my veracode report: Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611) referring the next code bellow ... DocumentBuilderFactory dbf=null; DocumentBuilder db = null; try { dbf=DocumentBuilderFactory.newInstance(); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); dbf.setExpandEntityReferences(false); dbf.setXIncludeAware(false); dbf.setValidating(false); dbf.newDocumentBuilder(); InputStream stream = new ByteArrayInputStream

Basic Working Example of an XXE Attack in HTML

痴心易碎 提交于 2020-03-05 06:04:23
问题 I'm trying to run some tests with XXE attacks in an html page, but i'm having trouble coming up with a working example. After looking around the internet for a long time, I came up with this: <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Title</title> <script id="embeddedXML" type="text/xml"> <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <foo>&xxe;</foo> </script> </head> <body> <script type="application/javascript"> alert(document

Basic Working Example of an XXE Attack in HTML part 2

眉间皱痕 提交于 2020-02-07 02:00:26
问题 Follow up to this: Basic Working Example of an XXE Attack in HTML seemed easier to make this follow up than to try and shoehorn my progress into the previous question. I thought better to allow the correct answer to that query to appear correct plain and simple. I have now evolved my example to the following: <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Title</title> </head> <body> <p id="xmlOut"></p> <script type="application/javascript"> var xml = ` <!DOCTYPE foo [

XDocument.Parse: Avoid replacing XXE references

本小妞迷上赌 提交于 2019-12-25 12:12:46
问题 I'm trying to protect against malicious XXE injections in the XMLs processed by my app. Therefore I'm using XDocument instead of XmlDocument. The XML represents the payload of a web request so I call XDocument.Parse on its string content. However, I'm seeing the XXE references contained in the XML (&XXE) being replaced in the result with the actual value of ENTITY xxe. Is it possible to parse the XML with XDocument without replacing &xxe ? Thanks EDIT: I managed to avoid the replacement of

HP fortify XML External Entity Injection

杀马特。学长 韩版系。学妹 提交于 2019-12-11 02:37:00
问题 Hp fortify shows me a XML external entity injection on the below code: StringBuilder sb = new StringBuilder(); StringWriter stringWriter = new StringWriter(sb); xmlSerializer.Serialize(stringWriter, o); XmlDocument xmlDoc = new XmlDocument(); xmlDoc.LoadXml(stringWriter.ToString()); //bad code result = xmlDoc.ChildNodes[1].OuterXml; in the above it was showing the vulnerability in the following line xmlDoc.LoadXml(stringWriter.ToString()); How can I resolve this situation? 回答1: use xmlDoc

Clarifications on XXE vulnerabilities throughout PHP versions

本小妞迷上赌 提交于 2019-12-08 23:13:09
问题 I post a question here as a last resort, I have browsed the web and went through many attempts but did not succeed. Replicating a XXE attack is what I am trying to do, in order to prevent them, but I cannot seem to get my head around the way PHP works with XML entities. For the record I am using PHP 5.5.10 on Ubuntu 12.04, but I have done some tests on 5.4 and 5.3, and libxml2 seem to be of version 2.7.8 (which does not seem to include the default to not resolving entities). In the following

How to Prevent XML External Entity Injection on TransformerFactory

。_饼干妹妹 提交于 2019-12-03 10:05:39
问题 My problem: Fortify 4.2.1 is marking below code as susceptible for XML External Entities attack. TransformerFactory factory = TransformerFactory.newInstance(); StreamSource xslStream = new StreamSource(inputXSL); Transformer transformer = factory.newTransformer(xslStream); Solution I have tried: Setting TransformerFactory feature for XMLConstants.FEATURE_SECURE_PROCESSING to true. Looked into possiblities of providing more such features to TransformerFactory, just like we do for DOM and SAX

How to Prevent XML External Entity Injection on TransformerFactory

假如想象 提交于 2019-12-03 00:40:30
My problem: Fortify 4.2.1 is marking below code as susceptible for XML External Entities attack. TransformerFactory factory = TransformerFactory.newInstance(); StreamSource xslStream = new StreamSource(inputXSL); Transformer transformer = factory.newTransformer(xslStream); Solution I have tried: Setting TransformerFactory feature for XMLConstants.FEATURE_SECURE_PROCESSING to true. Looked into possiblities of providing more such features to TransformerFactory, just like we do for DOM and SAX parsers. e.g. disallowing doctype declaration, etc. But TransformerFactoryImpl doesn't seem to be

Clarifications on XXE vulnerabilities throughout PHP versions

寵の児 提交于 2019-11-30 06:42:39
I post a question here as a last resort, I have browsed the web and went through many attempts but did not succeed. Replicating a XXE attack is what I am trying to do, in order to prevent them, but I cannot seem to get my head around the way PHP works with XML entities. For the record I am using PHP 5.5.10 on Ubuntu 12.04, but I have done some tests on 5.4 and 5.3, and libxml2 seem to be of version 2.7.8 (which does not seem to include the default to not resolving entities). In the following example, calling libxml_disable_entity_loader() with true or false has no effect, or I am doing
订阅 xxe