XXE代码审计和防御策略 for Java
langu_xyz
 2018-05-16 21:00:00      202 Words  1 Mins

1、Java代码中的XXE触发点

XXE的产生需要满足:1. 接收外部传入的XML格式,2.未禁用外部实体。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
JAXP DocumentBuilderFactory, SAXParserFactory and DOM4J
XMLInputFactory (a StAX parser)
Oracle DOM Parser
TransformerFactory
Validator
SchemaFactory
SAXTransformerFactory
XMLReader
SAXReader
SAXBuilder
No-op EntityResolver
JAXB Unmarshaller
XPathExpression
java.beans.XMLDecoder
Other XML Parsers
Spring Framework MVC/OXM XXE Vulnerabilities
Castor
……..

https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

XXE&SSRF

1
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://internal.vulnerable-website.com/"> ]>

XInclude攻击

1
2
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>

2、如何防御XXE攻击

2.1 禁用外部实体解析

例如SAXReader

1
2
3
saxReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
saxReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
saxReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

更多参考:https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

2.2 升级到安全版本

Apache POI >= 4.1.1

  • Post title:XXE代码审计和防御策略 for Java
  • Post author:langu_xyz
  • Create time:2018-05-16 21:00:00
  • Post link:https://blog.langu.xyz/XXE代码审计和防御策略 for Java/
  • Copyright Notice:All articles in this blog are licensed under BY-NC-SA unless stating additionally.