XML External Entity (XXE) – External Parameter Entity and External General Entity Vulnerability
To prevent XXE attacks, I have disabled the following features as recommended by Java DocumentBuilderFactory – https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet .
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); dbf.setXIncludeAware(false); dbf.setExpandEntityReferences(false);
Is there a
vulnerability if you don’t set external-general-entites and external-parameter-entities to false? Because when we set disallow-doctype-decl to true and XIncludeAware to false, it will not allow extending these external entities.
Is it safe to remove these two lines from the code above –
Or they must also be kept. If it is mandatory, what loopholes will there be if it is not set to false?
Even if we set disallow-doctype to true and XIncludeAware to false and ExpandEntityReferences to false, please provide examples of vulnerabilities specific to external generic/parameter entities.
Keeping them is not mandatory. Setting
disallow-doctype-decl will prevent XXE attacks because any inline
DOCTYPE declaration in untrusted XML will cause the parser to throw an exception.
However, I recommend leaving the code unchanged because
external-general-entities and external-parameter-entities are
If these two lines are not present and the later maintainer (naively or incorrectly) deletes the first line, the code becomes vulnerable again. Explicitly putting other lines there makes it more likely that maintainers will look for these features on further modifications, and we want to understand why they exist.