Java External Entities Enabled Xmlstream
Description
Detects when XML external entity (XXE) processing is explicitly enabled in Java applications using XMLInputFactory. This configuration can allow processing of external entities in XML documents, potentially leading to server-side request forgery (SSRF), denial of service, or data disclosure attacks if untrusted XML input is processed.
Detection Strategy
• Check if javax.xml.stream packages are imported in the Java source code
• Look for calls to setProperty method on XMLInputFactory instances
• Verify if the property is configured to enable external entity processing
• Flag cases where external entity processing is explicitly enabled as security vulnerable
Vulnerable code example
import javax.xml.stream.XMLInputFactory;
class UnsafeXMLParser {
void configureParser() {
XMLInputFactory factory = XMLInputFactory.newFactory();
// Vulnerable: Enables XXE processing which can lead to security issues
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", true);
}...✅ Secure code example
import javax.xml.stream.XMLInputFactory;
class SafeXMLParser {
void configureParser() {
XMLInputFactory factory = XMLInputFactory.newFactory();
// Disable DTD and external entity processing to prevent XXE attacks
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.