Security Cipher

Menu
Contact Us

Security Resources

⌘K
  2. Home
  4. Docs
  6. Security Resources
  8. Secure Code Explain
  10. XXE Injection

XXE Injection

Here is a vulnerable Java code snippet that is susceptible to XXE (XML External Entity) injection attacks:

🥺 Vulnerable Code

import java.io.StringReader;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import org.xml.sax.InputSource;

public class VulnerableXXE {
public static void main(String[] args) throws Exception {
String xmlData = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
"<user><name>John</name></user>";

// Vulnerable code: Parsing XML without disabling external entities
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
Document document = factory.newDocumentBuilder().parse(new InputSource(new StringReader(xmlData)));

// Processing the document
String name = document.getElementsByTagName("name").item(0).getTextContent();
System.out.println("Name: " + name);
}
}

In this vulnerable code snippet, we parse an XML document without disabling external entity resolution. An attacker can craft a malicious XML input that references an external entity (e.g., a file on the server), leading to information disclosure or other attacks.

😎 Secure Code

Here is an example of a secure version of the code that properly disables external entity resolution:

import java.io.StringReader;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import org.xml.sax.InputSource;

public class SecureXXE {
public static void main(String[] args) throws Exception {
String xmlData = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
"<user><name>John</name></user>";

// Secure code: Disable external entity processing
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Document document = factory.newDocumentBuilder().parse(new InputSource(new StringReader(xmlData)));

// Processing the document
String name = document.getElementsByTagName("name").item(0).getTextContent();
System.out.println("Name: " + name);
}
}

In the secure code snippet, we disable external entity processing by setting the FEATURE_SECURE_PROCESSING feature to true. This prevents the parser from resolving external entities, making the code immune to XXE attacks. It’s a crucial security measure when dealing with XML data from untrusted sources.

Leave a Reply