Do you want your ad here?

Contact us to get your ad seen by thousands of users every day!

[email protected]

Hacking Java XML Input via External Entity Injection

  • January 14, 2021
  • 3525 Unique Views
  • < 1 min read

Java natively supplies many different options to parse XML. However, all available parsers in Java have XML eXternal Entity (XXE) enabled by default. This makes Java XML libraries particularly vulnerable to XXE injection.

We already briefly went into XXE injection problem in an earlier blog post on foojay.io. However, let's go a little deeper. In the video below, I explain and demonstrate how an XXE injection attack works by extracting system data that should not be exposed. I also show you how you can solve this in your Java code in multiple ways.

In summary, with XXE enabled, it is possible to create malicious XML that reads the content of an arbitrary file on the machine. It’s not a surprise that XXE attacks are part of the OWASP Top 10 vulnerabilities.

Avatar photo

Brian Vermeer

Author

Java Champions & Developer Advocate and Software Engineer for Snyk. Passionate about Java, (Pure) Functional Programming, and Cybersecurity. Co-leading the Virtual JUG, NLJUG and DevSecCon community. Brian is also an Oracle Groundbreaker Ambassador and regular international speaker on mostly Java-related conferences.

Avatar photo

Brian Vermeer

Author

Java Champions & Developer Advocate and Software Engineer for Snyk. Passionate about Java, (Pure) Functional Programming, and Cybersecurity. Co-leading the Virtual JUG, NLJUG and DevSecCon community. Brian is also an Oracle Groundbreaker Ambassador and regular international speaker on mostly Java-related conferences.

Learn more

Thanks to our Sponsors!

Azul logo
Azul
Platinum Sponsor
Redis logo
Redis
Gold Sponsor
CodeRabbit logo
CodeRabbit
Gold Sponsor
Reo logo
Reo
Silver Sponsor
Zencoder logo
Zencoder
Silver Sponsor
Payara logo
Payara
Silver Sponsor
Digma logo
Digma
Bronze Sponsor
adesso logo
adesso
Bronze Sponsor

Trending

Week Month All

Foojay Podcast 83: OpenJDK Evolutions plus Tips and Tricks

Preparing for Spring Framework 7 and Spring Boot 4

Service Layer Pattern in Java With Spring Boot

Spring Framework 7.0 and Spring Data 2025.1.0 Embrace Jakarta EE 11 Compatibility

Understanding MCP Through Raw STDIO Communication

Micrometer & Prometheus in Spring Boot: Kafka Burger Orders🍔📨

A Dissection of Java JDBC to PostgreSQL Connections, Part 2: Batching

How to profile a performance issue using Spring Boot profiling tools

Navigating the Nuances of GraphRAG vs. RAG

Rate limiting with Redis: An essential guide

JC-AI Newsletter: Easy Access to Expanding Challenges

JC-AI Newsletter #9

Preparing for Spring Framework 7 and Spring Boot 4

JC-AI Newsletter #8

Understanding MCP Through Raw STDIO Communication

Explore Spring Framework 7 Features—API Versioning

Your New AI-Powered Coding Buddy: A Guide to SonarQube MCP Server on IntelliJ 🤖

Elastic JVM: Configuring G1 GC for Automatic Vertical Memory Scaling

Foojay Podcast #81: Maven 4 – The Future of Java Build Automation

Rate limiting with Redis: An essential guide

Indexing all of Wikipedia, on a laptop

Working with Multiple Carets in IntelliJ IDEA

Clean Shutdown of Spring Boot Applications

Java 17 on the Raspberry Pi

Project Panama for Newbies (Part 1)

How to Create Mobile Apps with JavaFX (Part 1)

Beginning JavaFX Applications with IntelliJ IDE

Foojay Slack: bit.ly/join-foojay-slack

SpringBoot 3.2 + CRaC

Creating Scalable OpenAI GPT Applications in Java

Do you want your ad here?

Contact us to get your ad seen by thousands of users every day!

[email protected]

Comments (2)

Highlight your code snippets using [code lang="language name"] shortcode. Just insert your code between opening and closing tag: [code lang="java"] code [/code]. Or specify another language.

Tobiloba avatar

Tobiloba

3 years ago

I see that you save the point of interest as text in the DB but the response gotten from ChatGPT is JSON. Does this mean you convert the response into string using libraries like gson before saving it in the database?

-8

Highlight your code snippets using [code lang="language name"] shortcode. Just insert your code between opening and closing tag: [code lang="java"] code [/code]. Or specify another language.

Denis Magda avatar

Denis Magda

3 years ago

Hey, The response is a String object in the JSON format [1]. The repository takes this JSON string as is and stores to the database [2]. Presently, Spring Data auto-generates the CREATE TABLE statement on the startup and sets the "point of interest" column's type to "text" (or "varchar", don't remember). However, it's always possible to ask Spring Data to use the "json" or "jsonb" type for the column if you wish to query the JSON at the database level. Finally, Vaadin displays a list of PointsOfInterests. Those are generated using the org.json library [3]. Let me know if you have other questions. Hope this helps. [1] https://github.com/YugabyteDB-Samples/budget-journey-gpt/blob/main/src/main/java/com/yugabyte/com/TripsAdvisorService.java#L103 [2] https://github.com/YugabyteDB-Samples/budget-journey-gpt/blob/main/src/main/java/com/yugabyte/com/TripsAdvisorService.java#L74 [3] https://github.com/YugabyteDB-Samples/budget-journey-gpt/blob/main/src/main/java/com/yugabyte/com/TripsAdvisorService.java#L114

12

Highlight your code snippets using [code lang="language name"] shortcode. Just insert your code between opening and closing tag: [code lang="java"] code [/code]. Or specify another language.

Set Event Reminder

Subscribe to foojay updates:

https://foojay.io/feed/
Copied to the clipboard