- An XML External Entity attack enables the attacker to access local or remote contents resulting in information disclosure and denial of service attacks
- The external entities use SYSTEM Keyword; the XML parser reads the document from the URI specified
- This value can be replaced by the attacker to read any local or remote file
XML External Entity Attack (Cont’d)
- Prevent XML External Entity attacks by implementing org.xml.sax.EntityResolver resolveEntity() method
- Contains customized handler using whitelist for checking external entities
- resolveEntity() method resolves the external entities of XML document while parsing
Insecure Code
Secure Code
- The below code snippet implements org.xml.sax.EntityResolver resolveEntity() method
resolveEntity() method Syntax
InputSource resolveEntity (String publicId, String systemId) throws SAXException, IOException
Cheng® 