What is XML External Entity Injection

Summary

Explanation

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
Image for post
Image for post

Recommendation

<web-app>
...
<init-param>
<param-name>com.sun.jersey.config.feature.DisableXmlSecurity</param-name>
<param-value>false</param-value>
</init-param>
...
</web-app>
<web-app>
...
<context-param>
<param-name>resteasy.document.expand.entity.references</param-name>
<param-value>false</param-value>
</context-param>
...
</web-app>

Tips

Written by

Blogger | Security Researcher | Digital forensic analyst | Twitter — @mrunal110

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store