Java Xxe Insecure Validator Dom4j
Description
Detects unsafe XML parsing configurations in Java applications using DOM4J library that could allow XML External Entity (XXE) attacks. When XML parsing is not properly configured with security controls, attackers can exploit XXE vulnerabilities to potentially disclose sensitive files, cause denial of service, or execute server-side request forgery attacks.
Detection Strategy
• Confirms the presence of DOM4J library imports (specifically org.dom4j.io package) in the Java source code
• Identifies direct calls to the 'read' method from SAXReader objects
• Reports a vulnerability when the SAXReader is used without enabling secure processing features or external entity restrictions
• Focuses on unsafe default configurations where XML parsing is done without explicit security controls
Vulnerable code example
import org.dom4j.Document;
import org.dom4j.io.SAXReader;
import java.io.StringReader;
public void parseXmlUnsafe(String xmlInput) throws Exception {
// VULNERABLE: SAXReader without security features enables XXE attacks
SAXReader reader = new SAXReader();
Document doc = reader.read(new StringReader(xmlInput));...✅ Secure code example
import org.dom4j.Document;
import org.dom4j.io.SAXReader;
import java.io.StringReader;
public void parseXmlSafe(String xmlInput) throws Exception {
SAXReader reader = new SAXReader();
// Disable DOCTYPE declarations to prevent XXE attacks
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.