A5:2021 | Security Misconfiguration (6) | Cycubix Docs
Find XXE with a code review
Now we know how the injection work, let’s look at why this can happen. In Java applications XML library configuration is not secure by default, and you have to change the settings. Suppose you find the following code snippet during a code review:
while having a look at the release notes of the Jackson library you read:
211: Disable
SUPPORT_DTD
forXMLInputFactory
unless explicitly overridden
— Jackson 2.7.8 (26-Sep-2016)
Question: is the parser vulnerable?
This piece of code defines a new XmlMapper
(ObjectMapper
) which is a popular framework for reading and writing xml and json. If we follow the code one level deeper we find:
This is the 'constructor' we called from the listing above (1)
Call to another 'constructor' and initialize a new instance of XmlFactory
Let’s take a look at the source code of XMLFactory
This is the 'constructor' definition of the new instance created in 3
Call to another 'constructor' defined in 3
In 4 we know if (xmlIn == null)
will not be true because if we look at our declaration at the top we created our own instance XMLInputFactory.newInstance()
which is not null
. This means that we have a XML parser which is by default not secured against XXE injection. The interesting part at 5 and 6 is the extra protection nested inside the if statement.
If we look at the Spring Boot framework for example how they initialize the same parser:
As you can see the explicitly define the XMLInputFactory
through the private method xmlInputFactory()
which actually sets the same properties to the parser as we saw in the previous listing.
As you can see this it is not that easy to find out whether the parser is secure against the injection you really have to dig deep in the code, and the library to find out what the parser settings are.
Take a look at XXE prevention sheet for more ways to secure your parser.
Last updated