TechQA.

XMLStreamReader / InputStream xxe vulnerability showing up in Checkmarx report

2.9k views Asked by At

These lines of code are causing an xxe vulnerability to show up in a Checkmarx report:

InputStream is = connection.getInputStream();

XMLInputFactory factory = XMLInputFactory.newInstance();
XMLStreamReader reader = factory.createXMLStreamReader(is);

The issue states that:

"The application sends a request to a remote server, for some resource, using createXMLStreamReader. However, an attacker can control the target of the request, by sending a URL or other data in getInputStream."

Any ideas how to resolve this?

java inputstream checkmarx xmlstreamreader xxe
Original Q&A
1

There are 1 answers

0
Artanis On BEST ANSWER

Found answer that worked for me here; add these properties to the XMLInputFactory: 

XMLInputFactory xif = XMLInputFactory.newFactory();

//prevents using external resources when parsing xml
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);

//prevents using external document type definition when parsing xml
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);

Related Questions in JAVA

Related Questions in INPUTSTREAM

Related Questions in CHECKMARX

Related Questions in XMLSTREAMREADER

Related Questions in XXE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions