XML External Entity (XXE) – External Parameter Entity and External General Entity Vulnerability
To prevent XXE attacks, I have disabled the following features as recommended by Java DocumentBuilderFactory – https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet .
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
Is there a
vulnerability if you don’t set external-general-entites and external-parameter-entities to false? Because when we set disallow-doctype-decl to true and XIncludeAware to false, it will not allow extending these external entities.
Is it safe to remove these two lines from the code above –
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
Even if we set disallow-doctype to true and XIncludeAware to false and ExpandEntityReferences to false, please provide examples of vulnerabilities specific to external generic/parameter entities.
Solution
Keeping them is not mandatory. Setting disallow-doctype-decl will prevent XXE attacks because any inline DOCTYPE declaration in untrusted XML will cause the parser to throw an exception.
However, I recommend leaving the code unchanged because external-general-entities and external-parameter-entities are If these two lines are not present and the later maintainer (naively or incorrectly) deletes the first line, the code becomes vulnerable again. Explicitly putting other lines there makes it more likely that maintainers will look for these features on further modifications, and we want to understand why they exist.