Java Enabled Extensions Deserialization

Description

Detects unsafe configuration of Java XML-RPC servers that enable extensions, which allows arbitrary classes to be loaded during deserialization. This creates a remote code execution risk since attackers can send malicious serialized objects that execute arbitrary code when deserialized.

Weakness:

164 - Insecure service configuration

Category: Functionality Abuse

Detection Strategy

• Checks if Apache XML-RPC libraries are imported in the codebase

• Looks for calls to setEnabledForExtensions() method

• Validates if setEnabledForExtensions is called with 'true' as argument

• Confirms the method is called on an XML-RPC server instance

• Reports a vulnerability when all these conditions are met since this configuration enables unsafe deserialization

Vulnerable code example

import org.apache.xmlrpc.server.XmlRpcServerConfigImpl;

public class VulnerableConfig {
    public static void main(String[] args) {
        XmlRpcServerConfigImpl config = new XmlRpcServerConfigImpl();
        config.setEnabledForExtensions(true);  // Vulnerable: Enables dangerous XML-RPC extensions
    }
}

✅ Secure code example

import org.apache.xmlrpc.server.XmlRpcServerConfigImpl;

public class SecureConfig {
    public static void main(String[] args) {
        XmlRpcServerConfigImpl config = new XmlRpcServerConfigImpl();
        config.setEnabledForExtensions(false);  // Safe: Explicitly disable XML-RPC extensions to prevent XXE attacks
    }
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.