search

A5:2021 | Security Misconfiguration (12) | Cycubix Docs

hashtag
XXE mitigation

In order to protect against XXE attacks you need to make sure you validate the input received from an untrusted client. In the Java world you can also instruct your parser to ignore DTD completely, for example:

XMLInputFactory xif = XMLInputFactory.newFactory();
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);

if you are not able to completely switch off the DTD support, you can also instruct the XML parser to ignore external entities, like:

XMLInputFactory xif = XMLInputFactory.newFactory();
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);

For more information about configuration, see XXE prevention sheetarrow-up-right

hashtag
Validate

Implement proper validation for the Content-type and Accept header do not simply rely on the framework to handle the incoming request. If the client specifies a proper accept header return with a `406/Not Acceptable.

PreviousA5:2021 | Security Misconfiguration (11) | Cycubix DocsNextA5:2021 | Security Misconfiguration (13) | Cycubix Docs

Last updated

Was this helpful?