Do you want your ad here?

Contact us to get your ad seen by thousands of users every day!

[email protected]

Hacking Java XML Input via External Entity Injection

  • January 14, 2021
  • 2783 Unique Views
  • < 1 min read

Java natively supplies many different options to parse XML. However, all available parsers in Java have XML eXternal Entity (XXE) enabled by default. This makes Java XML libraries particularly vulnerable to XXE injection.

We already briefly went into XXE injection problem in an earlier blog post on foojay.io. However, let's go a little deeper. In the video below, I explain and demonstrate how an XXE injection attack works by extracting system data that should not be exposed. I also show you how you can solve this in your Java code in multiple ways.

In summary, with XXE enabled, it is possible to create malicious XML that reads the content of an arbitrary file on the machine. It’s not a surprise that XXE attacks are part of the OWASP Top 10 vulnerabilities.

Avatar photo

Brian Vermeer

Author

Java Champions & Developer Advocate and Software Engineer for Snyk. Passionate about Java, (Pure) Functional Programming, and Cybersecurity. Co-leading the Virtual JUG, NLJUG and DevSecCon community. Brian is also an Oracle Groundbreaker Ambassador and regular international speaker on mostly Java-related conferences.

Avatar photo

Brian Vermeer

Author

Java Champions & Developer Advocate and Software Engineer for Snyk. Passionate about Java, (Pure) Functional Programming, and Cybersecurity. Co-leading the Virtual JUG, NLJUG and DevSecCon community. Brian is also an Oracle Groundbreaker Ambassador and regular international speaker on mostly Java-related conferences.

Learn more

Thanks to our Sponsors!

Azul logo
Azul
Platinum Sponsor
Redis logo
Redis
Gold Sponsor
Payara logo
Payara
Silver Sponsor
Digma logo
Digma
Silver Sponsor
adesso logo
adesso
Bronze Sponsor

Trending

Week Month All

Event-Driven Architecture and Change Data Capture Made Easy

A Glance into JFR Class and Method Tagging

Building a Declarative API with Spring AOP and SpEL

Webinar: Find Undead Code in Your Java Environments

Pi4J Welcomes Java 21 on the Raspberry Pi

Remote Development Made Simple with DevPod

Sliding Window Log Rate Limiter (Redis & Java)

Clean Shutdown of Spring Boot Applications

Spring Data Neo4j: How to update an entity

How JVM handles exceptions

foojay: A Place for Friends of OpenJDK

Dashboard for OpenJDK Update Release Details

JDK14: New Features and Enhancements

Fun with Flags: My Top 10 Resources for JVM Flags

Performance of Modern Java on Data-Heavy Workloads: Real-Time Streaming

Performance of Modern Java on Data-Heavy Workloads: Batch Processing

How does Java handle different Images and ColorSpaces – Part 1

How does Java handle different Images and ColorSpaces – Part 2

How does Java handle different Images and ColorSpaces – Part 3

How does Java handle different Images and ColorSpaces – Part 4

Indexing all of Wikipedia, on a laptop

Working with Multiple Carets in IntelliJ IDEA

Clean Shutdown of Spring Boot Applications

Java 17 on the Raspberry Pi

Foojay Slack: bit.ly/join-foojay-slack

How to Create Mobile Apps with JavaFX (Part 1)

Beginning JavaFX Applications with IntelliJ IDE

SpringBoot 3.2 + CRaC

Project Panama for Newbies (Part 1)

Java 21 is Available Today, And It’s Quite the Update

Do you want your ad here?

Contact us to get your ad seen by thousands of users every day!

[email protected]

Comments (2)

Highlight your code snippets using [code lang="language name"] shortcode. Just insert your code between opening and closing tag: [code lang="java"] code [/code]. Or specify another language.

Stephan avatar

Stephan

3 weeks ago

Hey, you might consider adding these other VoxxedDays events too for 2025 @ https://events.voxxeddays.com #Thanks

26

Highlight your code snippets using [code lang="language name"] shortcode. Just insert your code between opening and closing tag: [code lang="java"] code [/code]. Or specify another language.

Geertjan avatar

Geertjan

3 weeks ago

Thanks, will do, Stephan!

10

Highlight your code snippets using [code lang="language name"] shortcode. Just insert your code between opening and closing tag: [code lang="java"] code [/code]. Or specify another language.

Set Event Reminder

Subscribe to foojay updates:

https://foojay.io/feed/
Copied to the clipboard