Java XML Security: How to prevent External Entity (XXE) Injection attacks

Java XML Security: How to prevent External Entity (XXE) Injection attacks

Jan 12, 2021

Is Java XML parsing safe?
What is an XML External Entity Vulnerability in Java?
How do XXE attacks work in Java?
How to do Java XML External Entity Prevention?

Make sure to subscribe so you don't miss new content!
https://www.youtube.com/channel/UCh4dJzctb0NhSibjU-e2P6w/

Java natively supplies many different options to parse XML. However, all available parsers in Java have XML eXternal Entity (XXE) enabled by default. This makes Java XML libraries particularly vulnerable to XXE injection.
With XXE enabled, it is possible to create a malicious XML that reads the content of an arbitrary file on the machine. It’s not a surprise that XXE attacks are part of the OWASP Top 10 vulnerabilities. In this video, I explain how XXE injection works, and I demonstrate how you can prevent these types of attacks in your own Java code.

#Snyk #Java #XML #XXE #OpenSource

0:00 ⏩ Introduction
0:20 ⏩ Java application to upload an XML file
0:46 ⏩ Valid XML format
1:25 ⏩ Malicious XML file with XXE injection
2:44 ⏩ Solution #1 Disallow Doctype Declarations
3:47 ⏩ XML file with non-malicious Doctype Declaration
4:11 ⏩ Solution #2 Block external entities
4:30 ⏩ Set features for a specific XML parser
4:40 ⏩ Scan your Java application for Security vulnerabilities
4:47 ⏩ Recap

Resources:

  1. Java security best practices: https://snyk.io/blog/10-java-security-best-practices/

Java dependency management: https://snyk.io/blog/java-dependency-management/

  • Spring Boot security best practices: https://snyk.io/blog/spring-boot-security-best-practices/
    Open source vulnerability scanner: https://snyk.io/blog/open-source-vulnerability-scanner/