Tel Map

Blog

Saxon HE External Entity Processing ( XXE )

Der Inhalt wird unten in einer verfügbaren Sprache angezeigt. Klicken Sie auf den Link, um die aktuelle Sprache zu ändern.

In this article I will describe how to prevent Saxon from parsing external entities to avoid XXE attacks.

Basically you should be very careful when parsing XML files from untrusted sources. Otherwise this can lead to serious security issues.

XML External Entity Attack

test.xml

If you parse arbitrary XML files from users and do not set up your XML parser correctly, the example above would lead to the content of the file „etc/passwd“ being automatically embedded into the parsed XML structure.

Saxon

If your code parses an XML (test.xml see above) via Saxon like the code shown below, then this would to the content of „/etc/passwd“ being printed out.

In other XML parser implementations, there typically is a setter for features, where you can pass in settings like

In Saxon this setting was actually hidden quite well. In Saxon this setting has to be passed on the actual XML parser by concatenating two setting strings. This took me quite some time to figure out ( see below).

After putting this setting in, the code above does not longer print the content of the included file.

Hope this little article saves time for some of you guys.

If you have any questions or comments, please leave a message below.

 

 

 

 

28.06.2018 |
Schlagwörter: , , , , ,

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Diese Seite verwendet Cookies. Durch die weitere Nutzung der Webseite stimmen Sie der Verwendung von Cookies zu. Weitere Informationen zu Cookies erhalten Sie in unserer Datenschutzerklärung.