Description

Detects XML External Entity (XXE) vulnerabilities in Java applications where XML validators are configured insecurely. This vulnerability occurs when XML parsers are set up without disabling external entity processing, which could allow attackers to perform XXE attacks leading to file disclosure, SSRF, or denial of service.

Detection Strategy

• Identifies Java code that imports and uses javax.xml packages for XML processing

• Checks for calls to XML validator creation or configuration methods

• Reports a vulnerability when XML validators are created without explicitly disabling external entity processing

• Focuses on common validator setup patterns like SchemaFactory, ValidatorFactory, or Validator instantiations

Vulnerable code example

import javax.xml.XMLConstants;
import javax.xml.validation.SchemaFactory;
import javax.xml.validation.Schema;
import javax.xml.validation.Validator;
import javax.xml.transform.stream.StreamSource;
import java.io.File;

public class InsecureValidator {...

✅ Secure code example

import javax.xml.XMLConstants;
import javax.xml.validation.SchemaFactory;
import javax.xml.validation.Schema;
import javax.xml.validation.Validator;
import javax.xml.transform.stream.StreamSource;
import java.io.File;

public class SecureValidator {...