Backup_Repos/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2025-12-06 08:54:40 +01:00
Code Issues Projects Releases Wiki Activity

add code review section with Java examples

Browse source
This commit is contained in:
Alexandre ZANNI 2025-10-13 20:44:17 +02:00 committed by GitHub
parent d49faf9874
commit a522e1acf3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 25 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
XXE Injection/README.md
View file

@ -35,6 +35,8 @@
- [XXE Inside DOCX file](#xxe-inside-docx-file) - [XXE Inside DOCX file](#xxe-inside-docx-file)
- [XXE Inside XLSX file](#xxe-inside-xlsx-file) - [XXE Inside XLSX file](#xxe-inside-xlsx-file)
- [XXE Inside DTD file](#xxe-inside-dtd-file) - [XXE Inside DTD file](#xxe-inside-dtd-file)
- [Code review](#code-review)
- [XML parsers in Java](#xml-parsers-in-java)
- [Labs](#labs) - [Labs](#labs)
- [References](#references) - [References](#references)
@ -635,6 +637,29 @@ When all you control is the DTD file, and you do not control the `xml` file, XXE
%external; %external;
``` ```
## Code review
### XML parsers in Java
Unsecure configuration in 10 different Java classes from three XML processing interfaces (DOM, SAX, StAX) that can lead to XXE:
![XXE Java security features overview infographics](https://semgrep.dev/docs/assets/images/cheat-sheets-xxe-java-infographics-1d1d5016802e3ab8f0886b62b8c81f21.png)
- [DocumentBuilderFactory (javax.xml.parsers.DocumentBuilderFactory)](https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory)
- [SAXBuilder (org.jdom2.input.SAXBuilder)](https://semgrep.dev/docs/cheat-sheets/java-xxe/#3b-saxbuilder)
- [SAXParserFactory (javax.xml.parsers.SAXParserFactory)](https://semgrep.dev/docs/cheat-sheets/java-xxe/#3c-saxparserfactory)
- [SAXParser (javax.xml.parsers.SAXParser )](https://semgrep.dev/docs/cheat-sheets/java-xxe/#3d-saxparser)
- [SAXReader (org.dom4j.io.SAXReader)](https://semgrep.dev/docs/cheat-sheets/java-xxe/#3e-saxreader)
- [TransformerFactory (javax.xml.transform.TransformerFactory) & SAXTransformerFactory (javax.xml.transform.sax.SAXTransformerFactory)](https://semgrep.dev/docs/cheat-sheets/java-xxe/#3f-transformerfactory--saxtransformerfactory)
- [SchemaFactory (javax.xml.validation.SchemaFactory)](https://semgrep.dev/docs/cheat-sheets/java-xxe/#3g-schemafactory)
- [Validator (javax.xml.validation.Validator)](https://semgrep.dev/docs/cheat-sheets/java-xxe/#3h-validator)
- [XMLReader (org.xml.sax.XMLReader)](https://semgrep.dev/docs/cheat-sheets/java-xxe/#3i-xmlreader)
Ref.
- [Semgrep - XML Security in Java](https://semgrep.dev/blog/2022/xml-security-in-java)
- [Semgrep - XML External entity prevention for Java](https://semgrep.dev/docs/cheat-sheets/java-xxe/)
## Labs ## Labs
- [Root Me - XML External Entity](https://www.root-me.org/en/Challenges/Web-Server/XML-External-Entity) - [Root Me - XML External Entity](https://www.root-me.org/en/Challenges/Web-Server/XML-External-Entity)