Java Xml External Entity Injection
Description
Detects potential XML External Entity (XXE) Injection vulnerabilities in Java applications by identifying unsafe XML parser usage. XXE vulnerabilities can allow attackers to read sensitive files, conduct denial of service attacks, or perform server-side request forgery through maliciously crafted XML input.
Detection Strategy
• Identifies Java code that uses XML parsers through 'parse' method calls
• Checks if the XML parser object is one of the known vulnerable parser types
• Verifies that no security settings or sanitization have been applied to the parser object
• Reports a vulnerability when an XML parser is used without proper security configuration to prevent XXE attacks
Vulnerable code example
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import java.io.StringReader;
import org.xml.sax.InputSource;
public class XxeVulnerable {
public void parseXml(String inputXml) {
try {...✅ Secure code example
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import java.io.StringReader;
import org.xml.sax.InputSource;
import javax.xml.XMLConstants;
public class XxeSecure {
public void parseXml(String inputXml) {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.