Java Saxbuilder Xxe Insecure Setup
Description
This detector identifies XML External Entity (XXE) vulnerabilities in Java applications using JDOM2's SAXBuilder without proper security configurations. When SAXBuilder is used with default settings, it can process external entities in XML documents, potentially leading to file disclosure, denial of service, or server-side request forgery attacks.
Detection Strategy
• Check if the Java project imports any classes from the org.jdom2 package
• Locate calls to the 'build' method from SAXBuilder instances
• Verify that the SAXBuilder instance is not configured with secure entity processing settings
• Report a vulnerability when SAXBuilder.build() is called without proper XXE protections enabled
Vulnerable code example
import org.jdom2.Document;
import org.jdom2.input.SAXBuilder;
import java.io.File;
public class XmlParserExample {
public void parseXml(File xmlFile) throws Exception {
// VULNERABLE: SAXBuilder without security controls allows XXE attacks
SAXBuilder builder = new SAXBuilder();...✅ Secure code example
import org.jdom2.Document;
import org.jdom2.input.SAXBuilder;
import java.io.File;
public class XmlParserExample {
public void parseXml(File xmlFile) throws Exception {
// Secure: Disable DTDs completely to prevent XXE attacks
SAXBuilder builder = new SAXBuilder();...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.