TechQA.

XML External Entity Injection: Hp Fortify issue in java 1.6

2.1k views Asked by At

I was trying to fix XEE issue and have tried other options but won't work. Would be great if there were any pointers.

Below is my code snippet.. 

ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
Source xmlSource = new DOMSource(feed);
Result outputTarget = new StreamResult(outputStream);
TransformerFactory.newInstance().newTransformer().transform(xmlSource,outputTarget);
is = new ByteArrayInputStream(outputStream.toByteArray());
java security owasp xxe application-security
Original Q&A
1

There are 1 answers

2
SPoint On

Have a look at OWASP XXE Prevention Cheat Sheet

based of what i see in your code, you should modifiy it like this : 

ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
Source xmlSource = new DOMSource(feed);
Result outputTarget = new StreamResult(outputStream);

TransformerFactory tf = TransformerFactory.newInstance();
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

tf.newTransformer().transform(xmlSource,outputTarget);
is = new ByteArrayInputStream(outputStream.toByteArray());

Related Questions in JAVA

Related Questions in SECURITY

Related Questions in OWASP

Related Questions in XXE

Related Questions in APPLICATION-SECURITY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions