https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=PeterPichlerOWASP - User contributions [en]2026-05-27T09:11:59ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Talk:XML_External_Entity_(XXE)_Processing&diff=189038Talk:XML External Entity (XXE) Processing2015-02-04T16:40:54Z<p>PeterPichler: </p>
<hr />
<div><br />
== XXE Prevention in Java / Using an own EntiyResolver Implementation? ==<br />
<br />
<br />
----<br />
<br />
<br />
Context: We write Java Software, used in quite different environment (div. Operating System, OpenJDK, IBM-JDK, Sun-JDK, JDK 6 - JDK8). I am not really happy with the described solution to prevent External Entity Injection, because it is depending on some special XML parser Implementations.<br />
<br />
To prevent External Entity Injection flaws we primarily use our own EntityResolver and we think this alone should be enough to ensure that the parser can not access resources via URL´s from SGML Entity Declarations.<br />
<br />
Our Entity Resolver looks like:<br />
<br />
----<br />
<pre>public class SecureEntityResolver implements EntityResolver {<br />
<br />
@Override<br />
public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {<br />
return new InputSource(new ByteArrayInputStream("".getBytes()));<br />
}<br />
<br />
<br />
}<br />
</pre><br />
----<br />
<br />
When parsing XML we register our Entity-Resolver<br />
<br />
----<br />
<br />
<pre>DocumentBuilderFactory newFactory = DocumentBuilderFactory.newInstance();<br />
newFactory.setNamespaceAware(true);<br />
<br />
DocumentBuilder builder = newFactory.newDocumentBuilder();<br />
builder.setEntityResolver(new SecureEntityResolver()); /* !!!! */<br />
<br />
Document doc = builder.parse(...);</pre><br />
<br />
----<br />
<br />
<br />
Does anyone see problems with this way to prevent XXE Injection attacks?<br />
--[[User:PeterPichler|PeterPichler]] ([[User talk:PeterPichler|talk]]) 10:40, 4 February 2015 (CST)<br />
<br />
: I like your approach in general because it gets away from the silliness of each processor. Have you ran different test cases to see what happens? Even better, could you enable the Java security manager and grant only file access to the test case? I'm interested in seeing if a network connection is attempted during the resolution. --[[User:Jon Passki|Jon Passki]] ([[User talk:Jon Passki|talk]])<br />
<br />
:: I do not have the resources to make extensive tests currently. We had an white box security review of our software, and our security review partner (SecConsult) found an XXE Entity Injection Flaw. We was able to reproduce it... When using our own EntityResolver, it was not possible any more to access local resources. With this entity resolver we passed the recheck (by the company detected the XXE bug). This summer we will have a recheck again. I will stress this topic again during recertification... and try to bring back infos to this page. --[[User:PeterPichler|PeterPichler]] ([[User talk:PeterPichler|talk]]) 10:40, 4 February 2015 (CST)</div>PeterPichlerhttps://wiki.owasp.org/index.php?title=Talk:XML_External_Entity_(XXE)_Processing&diff=189033Talk:XML External Entity (XXE) Processing2015-02-04T15:19:35Z<p>PeterPichler: Removed non functional code</p>
<hr />
<div><br />
== XXE Prevention in Java / Using an own EntiyResolver Implementation? ==<br />
<br />
<br />
----<br />
<br />
<br />
Context: We write Java Software, used in quite different environment (div. Operating System, OpenJDK, IBM-JDK, Sun-JDK, JDK 6 - JDK8). I am not really happy with the described solution to prevent External Entity Injection, because it is depending on some special XML parser Implementations.<br />
<br />
To prevent External Entity Injection flaws we primarily use our own EntityResolver and we think this alone should be enough to ensure that the parser can not access resources via URL´s from SGML Entity Declarations.<br />
<br />
Our Entity Resolver looks like:<br />
<br />
----<br />
<pre>public class SecureEntityResolver implements EntityResolver {<br />
<br />
@Override<br />
public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {<br />
return new InputSource(new ByteArrayInputStream("".getBytes()));<br />
}<br />
<br />
<br />
}<br />
</pre><br />
----<br />
<br />
When parsing XML we register our Entity-Resolver<br />
<br />
----<br />
<br />
<pre>DocumentBuilderFactory newFactory = DocumentBuilderFactory.newInstance();<br />
newFactory.setNamespaceAware(true);<br />
<br />
DocumentBuilder builder = newFactory.newDocumentBuilder();<br />
builder.setEntityResolver(new SecureEntityResolver()); /* !!!! */<br />
<br />
Document doc = builder.parse(...);</pre><br />
<br />
----<br />
<br />
<br />
Does anyone see problems with this way to prevent XXE Injection attacks?<br />
: I like your approach in general because it gets away from the silliness of each processor. Have you ran different test cases to see what happens? Even better, could you enable the Java security manager and grant only file access to the test case? I'm interested in seeing if a network connection is attempted during the resolution. --[[User:Jon Passki|Jon Passki]] ([[User talk:Jon Passki|talk]])</div>PeterPichlerhttps://wiki.owasp.org/index.php?title=Talk:XML_External_Entity_(XXE)_Processing&diff=189031Talk:XML External Entity (XXE) Processing2015-02-04T15:08:26Z<p>PeterPichler: XXE Injection / Java / Using special EntityResolver</p>
<hr />
<div><br />
== XXE Prevention in Java / Using an own EntiyResolver Implementation? ==<br />
<br />
<br />
----<br />
<br />
<br />
Context: We write Java Software, used in quite different environment (div. Operating System, OpenJDK, IBM-JDK, Sun-JDK, JDK 6 - JDK8). I am not really happy with the described solution to prevent External Entity Injection, because it is depending on some special XML parser Implementations.<br />
<br />
To prevent External Entity Injection flaws we primarily use our own EntityResolver and we think this alone should be enough to ensure that the parser can not access resources via URL´s from SGML Entity Declarations.<br />
<br />
Our Entity Resolver looks like:<br />
<br />
----<br />
<pre>public class SecureEntityResolver implements EntityResolver {<br />
List<String> allowedSystemIds = new ArrayList<String>();<br />
<br />
@Override<br />
public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {<br />
if(allowedSystemIds.contains(systemId)) {<br />
// return a special input source<br />
return new InputSource(new ByteArrayInputStream(systemId.getBytes()));<br />
}<br />
return new InputSource(new ByteArrayInputStream("".getBytes()));<br />
}<br />
<br />
public void addAllowedSystemIds(List<String> allowedSystemIds) {<br />
this.allowedSystemIds = allowedSystemIds;<br />
}<br />
}<br />
</pre><br />
----<br />
<br />
When parsing XML we register our Entity-Resolver<br />
<br />
----<br />
<br />
<pre>DocumentBuilderFactory newFactory = DocumentBuilderFactory.newInstance();<br />
newFactory.setNamespaceAware(true);<br />
<br />
DocumentBuilder builder = newFactory.newDocumentBuilder();<br />
builder.setEntityResolver(new SecureEntityResolver()); /* !!!! */<br />
<br />
Document doc = builder.parse(...);</pre><br />
<br />
----<br />
<br />
<br />
Does anyone see problems with this way to prevent XXE Injection attacks?</div>PeterPichler