recently, had security audit on our code, , 1 of problem our application subject xml external entity (xxe) attack.
basically, application calculator receives inputs xml, through web-service.
here example of such xxe attack on our application:
<soapenv:envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:header/> <soapenv:body> <foo:calculatestuff> <!--optional:--> <xmlinput><![cdata[<?xml version="1.0" encoding="utf-8" standalone="yes"?> <!doctype currency [ <!entity include system "file:///d:/" >]> <calcinput>...</calcinput> ]]></xmlinput> </foo:calculatestuff> </soapenv:body> </soapenv:envelope> as can see, can refers entity points external file ("file:///d:/").
regarding xml input (the <calcinput>...</calcinput> part) unmarshalled jaxb (v2.1). web-service part based on jaxws-rt (2.1).
what need secure web-service?
thanks.
jaxb
you can prevent xml external entity (xxe) attack unmarshalling xmlstreamreader has is_supporting_external_entities and/or xmlinputfactory.support_dtd properties set false.
jax-ws
a jax-ws implementation should take care of you. if doesn't recommend opening bug against specific implmententation.
example
demo
package xxe; import javax.xml.bind.*; import javax.xml.stream.*; import javax.xml.transform.stream.streamsource; public class demo { public static void main(string[] args) throws exception { jaxbcontext jc = jaxbcontext.newinstance(customer.class); xmlinputfactory xif = xmlinputfactory.newfactory(); xif.setproperty(xmlinputfactory.is_supporting_external_entities, false); xif.setproperty(xmlinputfactory.support_dtd, false); xmlstreamreader xsr = xif.createxmlstreamreader(new streamsource("src/xxe/input.xml")); unmarshaller unmarshaller = jc.createunmarshaller(); customer customer = (customer) unmarshaller.unmarshal(xsr); marshaller marshaller = jc.createmarshaller(); marshaller.setproperty(marshaller.jaxb_formatted_output, true); marshaller.marshal(customer, system.out); } } input.xml
this xml document contains entity has been setup listing of files used create example.
<?xml version="1.0"?> <!doctype customer [ <!entity name system "/users/bdoughan/examples/src/xxe/"> ] > <customer> <name>&name;</name> </customer> customer
package xxe; import javax.xml.bind.annotation.xmlrootelement; @xmlrootelement public class customer { private string name; public string getname() { return name; } public void setname(string name) { this.name = name; } } output - default configuration
by default entity resolved.
<?xml version="1.0" encoding="utf-8" standalone="yes"?> <customer> <name>customer.java demo.java input.xml </name> </customer> output when xmlinputfactory.is_supporting_external_entities property set false
when property set entity not resolved.
<?xml version="1.0" encoding="utf-8" standalone="yes"?> <customer> <name></name> </customer> output when xmlinputfactory.support_dtd property set false
when property set exception thrown trying resolve entity.
exception in thread "main" javax.xml.bind.unmarshalexception - linked exception: [javax.xml.stream.xmlstreamexception: parseerror @ [row,col]:[8,15] message: entity "name" referenced, not declared.] @ com.sun.xml.bind.v2.runtime.unmarshaller.unmarshallerimpl.handlestreamexception(unmarshallerimpl.java:436) @ com.sun.xml.bind.v2.runtime.unmarshaller.unmarshallerimpl.unmarshal0(unmarshallerimpl.java:372) @ com.sun.xml.bind.v2.runtime.unmarshaller.unmarshallerimpl.unmarshal(unmarshallerimpl.java:342) @ xxe.demo.main(demo.java:18) caused by: javax.xml.stream.xmlstreamexception: parseerror @ [row,col]:[8,15] message: entity "name" referenced, not declared. @ com.sun.org.apache.xerces.internal.impl.xmlstreamreaderimpl.next(xmlstreamreaderimpl.java:598) @ com.sun.xml.bind.v2.runtime.unmarshaller.staxstreamconnector.bridge(staxstreamconnector.java:196) @ com.sun.xml.bind.v2.runtime.unmarshaller.unmarshallerimpl.unmarshal0(unmarshallerimpl.java:370) ... 2 more 
Comments
Post a Comment