August 2012 – Compass Security Blog

Secure XML Parser Configuration

Most XML parsers are vulnerable for XML external entitiy attacks (XXE) by default. So what’s your mitigation? The easiest way to prevent XXE is to disallow the Doctype declaration completely: import java.io.File; import org.jdom.Document; import org.jdom.JDOMException; import org.jdom.input.SAXBuilder; public class XEE_Disallow_Doctype_Decl { public static void main(String[] args) { String element= null; SAXBuilder objBuilder = null; […]

AntiSamy to face XSS and XXE

August 8, 2012 / Cyrill Brunschwiler / 3 Comments

The community hosts a neat little project called AntiSamy[1] which lends its name from the well known MySpace worm[2] and which comes in handy when trying to mitigate Cross-site Scripting[3] attacks. Whereby XSS is sometimes hard to mitigate when business is asking for HTML formatting in user supplied inputs. At that point, AntiSamy might become […]

Up ↑

Compass Security Blog

Offensive Defense

Secure XML Parser Configuration

AntiSamy to face XSS and XXE

Recent Posts

Categories

Compass Links

Compass Security Blog

Offensive Defense

Secure XML Parser Configuration

AntiSamy to face XSS and XXE

Recent Posts

Categories

Tags

Compass Links