If I am already using
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
then do I also need to use
xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
to fix an XXE vulnerability?
Asked
Active
Viewed 95 times
1
Rupesh Pal
- 11
- 1
2 Answers
1
For that specific class, nope, your solution works. Indeed, disabling external entities but not DTDs would leave you vulnerable to another attack, recursive entities used for denial-of-service (also known as "billion laughs" attacks).
However, be aware that Java has multiple XML parsers, and they don't all care about XMLInputFactory or its properties; unless you're very sure that you aren't using anything else, you might need to disable DTDs in other too. The relevant OWASP cheat sheet lists over a dozen common XML parsers for Java, most of which are configured independently.
Also, you of course need to disable the property on the factory before generating the parser object (though you might be able to modify properties on the parser object before you actually parse the XML too).
CBHacking
- 40,303
- 3
- 74
- 98
0
It depends of the supported language behind the application. For instance, the XMLInputFactory you are using is one the library rule available for the Java XML parsers. The main objective is to disable DTDs, it basically consists of the primary defense against this attack. You can find a thorough reference here from OWASP.
raDiaSmO
- 309
- 1
- 5