Veracode XML External Entity Reference (XXE)

Have you seen the OWASP guide about XXE?

You are not disabling the 3 features you should disable. Most importantly the first one:

dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

Tags:

Java

Security

Veracode

Xxe

Recent Posts