Java External Entities Enabled
Description
Detects when XML external entity (XXE) processing is explicitly enabled in Java code through feature configuration. This is a critical security vulnerability that could allow attackers to disclose internal files, cause denial of service, or execute server-side request forgery attacks through maliciously crafted XML input.
Detection Strategy
• Identifies calls to 'setFeature' method in XML parser configuration
• Checks if the feature being set relates to external entity processing
• Verifies if the feature is being explicitly enabled (set to true)
• Reports a vulnerability when external entity processing is enabled
Vulnerable code example
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
class VulnerableXMLParser {
public void parseXML() throws ParserConfigurationException {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
// Vulnerable: Enabling external entities allows XXE attacks
dbf.setFeature("http://xml.org/sax/features/external-general-entities", true);...✅ Secure code example
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
class SecureXMLParser {
public void parseXML() throws ParserConfigurationException {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
// Disable external entities to prevent XXE attacks
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.