Nanne Baars 9b72610510 Extend XXE lesson with more content and add solution description
Remove obsolete images
Add stylesheet items specific for asciidoctor so we can for icons and source numbering
2020-05-22 10:10:42 +02:00

25 lines
1.1 KiB
Plaintext

== XXE mitigation
In order to protect against XXE attacks you need to make sure you validate the input received from an untrusted client. In the Java world you can also instruct your parser to ignore DTD completely, for example:
[source]
----
XMLInputFactory xif = XMLInputFactory.newFactory();
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
----
if you are not able to completely switch off the DTD support, you can also instruct the XML parser to ignore external entities, like:
[source]
----
XMLInputFactory xif = XMLInputFactory.newFactory();
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
----
For more information about configuration, see https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html[XXE prevention sheet]
==== Validate
Implement proper validation for the Content-type and Accept header do not simply rely on the framework to handle the incoming request. If the client specifies a proper accept header return with a `406/Not Acceptable.