Hacking Java XML Input via External Entity Injection

Java natively supplies many different options to parse XML. However, all available parsers in Java have XML eXternal Entity (XXE) enabled by default. This makes Java XML libraries particularly vulnerable to XXE injection.

We already briefly went into XXE injection problem in an earlier blog post on foojay.io. However, let's go a little deeper. In the video below, I explain and demonstrate how an XXE injection attack works by extracting system data that should not be exposed. I also show you how you can solve this in your Java code in multiple ways.

In summary, with XXE enabled, it is possible to create malicious XML that reads the content of an arbitrary file on the machine. It’s not a surprise that XXE attacks are part of the OWASP Top 10 vulnerabilities.


Don’t Forget to Share This Post!

Comments (0)

Your email address will not be published. Required fields are marked *

Highlight your code snippets using [code lang="language name"] shortcode. Just insert your code between opening and closing tag: [code lang="java"] code [/code]. Or specify another language.

Related Articles

Subscribe to foojay updates:

Copied to the clipboard