- basic protection set
- OWASP Top 10
When the XML processor is not configured correctly to handle references and entities, it may be susceptible to so-called XML external entities (XXE) attacks.
In order to prevent XXE vulnerabilities, the XML processor needs to be configured correctly. As stated on the OWASP XXE Cheat Sheet: "The safest way to prevent XXE is always to disable DTDs (External Entities) completely. Depending on the parser, the method should be similar to the following:
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);. If it is not possible to disable DTDs completely, then external entities and external document type declarations must be disabled in the way that's specific to each parser." For specific instructions per parser we refer to the OWASP XXE Cheat Sheet as well.
id: scw:xxe:documentbuilderfactory-missing-external-parameter-entities version: 10 metadata: name: 'XXE: DocumentBuilderFactory: Add missing feature external-parameter-entities' shortDescription: Could lead to XXE level: error language: java newCodeOnly: false scwCategory: injection:xml cweCategory: 611 enabled: true descriptionFile: Java/XML/descriptions/XXE.html tags: security;XXE;basic protection set;OWASP Top 10 search: methodcall: not: followedBy: methodcall: args: 1: value: stringified: http://xml.org/sax/features/external-parameter-entities name: setFeature name: newInstance declaration: type: javax.xml.parsers.DocumentBuilderFactory availableFixes: - name: Set external-parameter-entities feature to false actions: - addMethodCall: name: setFeature arguments: - '"http://xml.org/sax/features/external-parameter-entities"' - "false" position: first-available-spot