Kotlin Xxe Unprotected Xml Parser
Description
Detects usage of XML parsers in Kotlin code that are not properly configured to prevent XML External Entity (XXE) attacks. Such unprotected parsers can allow attackers to extract sensitive files, execute server-side request forgery, or cause denial of service through entity expansion.
Detection Strategy
• Identifies calls to XML parser methods named 'parse'
• Checks if the XML parser object is created without proper XXE protection settings
• Reports a vulnerability when an unprotected XML parser instance is used to parse untrusted input
Vulnerable code example
import javax.xml.parsers.SAXParserFactory
import org.xml.sax.InputSource
import org.xml.sax.helpers.DefaultHandler
import java.io.StringReader
fun processXML(xmlInput: String) {
// Vulnerable: SAXParserFactory without secure parsing settings
val factory = SAXParserFactory.newInstance()...✅ Secure code example
import javax.xml.parsers.SAXParserFactory
import org.xml.sax.InputSource
import org.xml.sax.helpers.DefaultHandler
import java.io.StringReader
fun processXML(xmlInput: String) {
// Create factory with secure parsing settings
val factory = SAXParserFactory.newInstance()...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.