Java Transformer Factory Insecure Setup
Description
Detects potentially insecure configuration of Java's JAXP SAXTransformerFactory that could allow XML External Entity (XXE) attacks. When XML parsing is configured without proper security features enabled, an attacker could exploit XXE vulnerabilities to read sensitive files, cause denial of service, or execute server-side request forgery attacks.
Detection Strategy
• Identifies imports of javax.xml packages in Java code
• Looks for instantiation or usage of XML transformation methods without secure configuration settings
• Reports vulnerability when transformation methods are used without explicitly setting required security features like 'XMLConstants.FEATURE_SECURE_PROCESSING'
Vulnerable code example
import javax.xml.transform.sax.SAXTransformerFactory;
import javax.xml.transform.stream.StreamSource;
import java.io.StringReader;
import org.xml.sax.XMLFilter;
public class VulnerableTransformer {
public void processXml(String xml) throws Exception {
// VULNERABLE: SAXTransformerFactory created without security attributes...✅ Secure code example
import javax.xml.XMLConstants;
import javax.xml.transform.sax.SAXTransformerFactory;
import javax.xml.transform.stream.StreamSource;
import java.io.StringReader;
import org.xml.sax.XMLFilter;
public class SecureTransformer {
public void processXml(String xml) throws Exception {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.