9b72610510
Remove obsolete images Add stylesheet items specific for asciidoctor so we can for icons and source numbering
25 lines
1.1 KiB
Plaintext
25 lines
1.1 KiB
Plaintext
== XXE mitigation
|
|
|
|
In order to protect against XXE attacks you need to make sure you validate the input received from an untrusted client. In the Java world you can also instruct your parser to ignore DTD completely, for example:
|
|
|
|
[source]
|
|
----
|
|
XMLInputFactory xif = XMLInputFactory.newFactory();
|
|
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
|
|
----
|
|
|
|
if you are not able to completely switch off the DTD support, you can also instruct the XML parser to ignore external entities, like:
|
|
|
|
[source]
|
|
----
|
|
XMLInputFactory xif = XMLInputFactory.newFactory();
|
|
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
|
|
xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
|
|
----
|
|
|
|
For more information about configuration, see https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html[XXE prevention sheet]
|
|
|
|
|
|
==== Validate
|
|
|
|
Implement proper validation for the Content-type and Accept header do not simply rely on the framework to handle the incoming request. If the client specifies a proper accept header return with a `406/Not Acceptable. |