Most XML parsers are vulnerable for XML external entitiy attacks (XXE) by default. So what’s your mitigation?

The easiest way to prevent XXE is to disallow the Doctype declaration completely:

import java.io.File;
import org.jdom.Document;
import org.jdom.JDOMException;
import org.jdom.input.SAXBuilder;

public class XEE_Disallow_Doctype_Decl {
	public static void main(String[] args) {
		String element= null;
		SAXBuilder objBuilder = null;
		Document objDocXML = null;
		try
		{
			objBuilder = new SAXBuilder("org.apache.xerces.parsers.SAXParser");
			objBuilder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
			objDocXML = objBuilder.build(new File("data\\test.xml"));
			element= objDocXML.getRootElement().getChild("TestElement").getText();
			System.out.println("Element: " + element);
		} catch(Exception e) {
			e.printStackTrace();
		}
	}
}

If this is not possible, because the Doctype declaration is required in your application, you can disallow external entities:

import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;

public class XEE_Disallow_External_Entities {

	public static void main(String[] args) {
		String xmlFile = "data\\test.xml";
		MyHandler handler = new MyHandler();
		try {
			SAXParserFactory factory = SAXParserFactory.newInstance();
			factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
			factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
			SAXParser parser = factory.newSAXParser();
			parser.parse(xmlFile, handler);
		} catch (Exception e) {
			e.printStackTrace();
		}
	}
}

To ensure if your configuration is secure, you should always verify the parser manually!

Want to learn more about XML external entity attacks and application security? Join our web application security trainings in Rapperswil/Jona next week:

References