How to Detect XXE Attacks from Text Input in Java
Check single or multiple text inputs for XML External Entity Attacks using an API in Java.
Join the DZone community and get the full member experience.Join For Free
XML (Extensible Markup Language) is an incredibly popular data format that can be used in a variety of ways; from documents to images to videos, XML does them all. However, the very design of XML requires that an application parse the request to create an output, which provides an opening for XML External Entity (XXE) attacks. XXE attacks can exploit vulnerabilities within Document Type Definitions (DTD) in XML parsers to replace entities and cause a denial of service or utilize Server Side Request Forgery (SSRF) to gain access to sensitive data. These attacks do not discriminate on who they target; if your applications use a parser to interpret XML data, they have the potential for infiltration. Even several high-profile companies reported finding and being exposed to this type of attack over the past few years.
While XXE attacks may not get the press that viruses, malware, and social engineering threats are getting these days, they are still a very prominent and often missed form of attack. XXE attackers transmit their own values through the entities and force the application to display them; certain XML entities allow XML as input, and these are the endpoints that are particularly susceptible. Since these threats fall outside the protection of your basic anti-virus software, the job of protecting a web application from XXE attacks will often fall to the developer. Instead of spending time developing a workaround, we will demonstrate how you can automate the detection of XXE attacks from a single text input or multiple text inputs in batch by using the following APIs in Java.
To begin our process, we will install the Maven SDK by adding a reference to the repository in pom.xml:
Then, we will add a reference to the dependency:
The first function will check a single text input for XXE attacks. Once you have completed the installation as shown above, you can call the function with the following code:
In order for the API to work properly, there are a handful of required and optional parameters to include:
- User-facing Text Input (required) – the target string for the operation.
- API Key (required) – your personal API key; this can be retrieved from the Cloudmersive website by registering for a free account that will provide 800 monthly calls across our entire API library.
- Allow Internet URLs (optional) – set to true to allow internet-based dependency URLs for DTDs and other XML External Entities, set to false to block; default is false.
- Known Safe URLs (optional) – create a comma-separated list of fully qualified URLs that will automatically be considered safe.
- Known Unsafe URLs (optional) - create a comma-separated list of fully qualified URLs that will automatically be considered safe.
This will return confirmation on whether your text has been exposed to an XXE attack. Now, if you need to check multiple text inputs for XXE attacks, you can use our second API instead:
For the above function, you can input your requests as shown by the example below:
This process will run in batch, and your returned response will indicate the safety status of each input text string in reference to XXE attacks.
That concludes our brief tutorial on XXE attacks! If you have any questions or would like more information on these or any of our other APIs, you can contact our team anytime.
Opinions expressed by DZone contributors are their own.