启用XML eXternal Entity(XXE)后,可以创建一个恶意XML,如下所示,并读取计算机上任意文件的内容。 XXE攻击是OWASP十大漏洞的一部分,这也不足为奇。JavaXML库特别容易受到XXE注入的攻击,因为大多数XML解析器默认都启用了外部实体。
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE bar [
<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<song>
<artist>&xxe;</artist>
<title>Bohemian Rhapsody</title>
<album>A Night at the Opera</album>
</song>
如下所示,DefaultHandler和Java SAX解析器的一个简单实现实现了对该XML文件的解析,并显示了passwd文件的内容。 这里以Java SAX解析器案例为主要示例,但其他解析器(如DocumentBuilder和DOM4J)具有类似的默认行为。
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser saxParser = factory.newSAXParser();
DefaultHandler handler = new DefaultHandler() {
public void startElement(String uri, String localName,String qName,Attributes attributes) throws SAXException {
System.out.println(qName);
}
public void characters(char ch[], int start, int length) throws SAXException {
System.out.println(new String(ch, start, length));
}
};
Changing the default settings to disallow external entities and doctypes for xerces1 or xerces2, respectively, prevents these kinds of attacks.
...
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser saxParser = factory.newSAXParser();
factory.setFeature("https://xml.org/sax/features/external-general-entities", false);
saxParser.getXMLReader().setFeature("https://xml.org/sax/features/external-general-entities", false);
factory.setFeature("https://apache.org/xml/features/disallow-doctype-decl", true);
...
For more hands-on information about preventing malicious XXE injection, please take a look at the OWASP XXE Cheatsheet
This was just 1 of 10 Java security best practices. Take a look at the full 10 and the easy printable one-pager available
from: https://dev.to//brianverm/configure-your-java-xml-parsers-to-prevent-xxe-213c