AF
HomeTagSubmit NotesAsk AnythingLoginSubscribe Us
AF
1. Feel Free to ask and submit anything on Anyforum.in and get satisfactory answer
2. Registration is not compulsory, you can directly login via google or facebook
3. Our Experts are looking for yours ?.



applications-security: XML External Entity Injection

Hi,

When i do scan using fortify tool,i got some issues under "XML External Entity Injection".
TransformerFactory trfactory = TransformerFactory.newInstance(); This is the place where it is showing error.i have given the below fix as suggested by fortify
trfactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
trfactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

but still the issues are not fixed.Need suggestion how to fix this issue.

Thanks,
Raghu.

applications x 10
security x 9
Posted On : 2016-07-07 19:15:33.0
profile veera - anyforum.in veera
3220
up-rate
5
down-rate

Answers


XML External Entities attacks benefit from an XML feature to build documents dynamically at the time of processing. An XML entity allows to include data dynamically from a given resource. External entities allow an XML document to include data from an external URI. Unless configured to do otherwise, external entities force the XML parser to access the resource specified by the URI, e.g., a file on the local machine or on a remote systems. This behavior exposes the application to XML External Entity (XXE) attacks, which can be used to perform denial of service of the local system, gain unauthorized access to files on the local machine, scan remote machines, and perform denial of service of remote systems.

The following XML document shows an example of an XXE attack:
------------------------------------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [

<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/winnt/win.ini" >]>&xxe;


This example could disclose the contents of the C:\winnt\win.ini system file, if the XML parser attempts to substitute the entity with the contents of the file.

Recommendation:
----------------------------------------------------------
An XML parser should be configured securely so that it does not allow external entities as part of an incoming XML document.

The best way to prevent XXE attacks is to disable XML entity resolution by disabling inline DTD setting DtdProcessing to DtdProcessing.Prohibit or by disabling XML Entity resolution setting the XmlReaderSettings.XmlResolver property to null:

XmlReaderSettings settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Prohibit;
settings.XmlResolver = null;
XmlReader reader = XmlReader.Create(stream, settings);

If external entities must be processed in your application you should create a custom XmlResolver with the following features:

1. Set a request timeout to prevent infinite delay attacks
2. Limit the amount of data that it will retrieve
3. Restrict the XmlResolver from retrieving resources on the local host

Note:
------------------------
set XMLConstants.FEATURE_SECURE_PROCESSING on the TransformerFactory class. Additionaly you can point to to xalan and javas own implementation of TrasnformerFactoryImpl implementation class to research more for any solution for your problem.

Posted On : 2016-07-07 23:43:34
Satisfied : 5 Yes  0 No
profile Rishi Kumar - anyforum.in Rishi Kumar
523188247637
Reply This Thread
up-rate
3
down-rate

I tried with "Xalan" implementation class instead of TransformerFactory.newInstance().It worked for me and fortify issue got fixed

TransformerFactoryImpl transformerFactoryImpl = new TransformerFactoryImpl();
Transformer transformer = transformerFactoryImpl.newTransformer();

Might be useful for someone.

Posted On : 2016-07-14 21:15:57
Satisfied : 6 Yes  3 No
profile veera - anyforum.in veera
3220
Reply This Thread
up-rate
2
down-rate
Comments
hi
after trying with "Xalan" implementation issues 100% gets resolved but i am generating pdf file using the transfomerfactoryimpl, pdf generation is failing because of using transformerfactoryimpl.
i am getting below error. help me to fix the issue.

error on console: java.lang.NoClassDefFoundError:com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl

Thanks,
Raghavendra.
profile Ragu Ankad - anyforum.in Ragu Ankad
0  0  0
Posted On :2017-10-30 22:51:16.0
Leave a Comment
I think, this is just Runtime Exception, Just try to build your project again, Clean work directory and redeploy it.
profile Garima Gupta - anyforum.in Garima Gupta
596  1295  57001
Posted On :2017-10-30 23:03:46.0
Leave a Comment



Post Answer
Please Login First to Post Answer: Login login with facebook - anyforum.in