如何防止XML注入像XML Bomb和XXE攻击
发布时间:2020-12-16 23:29:27 所属栏目:百科 来源:网络整理
导读:我正在开发一个 Android应用程序 android:minSdkVersion="14" 在这个需要解析xml的应用程序中.因为我正在使用像这样的DOM解析器 DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();DocumentBuilder dBuilder = null;Document doc =
我正在开发一个
Android应用程序
android:minSdkVersion="14" 在这个需要解析xml的应用程序中.因为我正在使用像这样的DOM解析器 DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance(); DocumentBuilder dBuilder = null; Document doc = null; try { dBuilder = dbFactory.newDocumentBuilder(); } catch (ParserConfigurationException e) { e.printStackTrace(); } 但是当检查代码的安全性时,我遇到了两个安全问题 dBuilder = dbFactory.newDocumentBuilder();,它们是
经过一番研究,我加入了这条线 但是现在我执行此行时会遇到异常 javax.xml.parsers.ParserConfigurationException: http://javax.xml.XMLConstants/feature/secure-processing 有谁能够帮我? 解决方法
您是否尝试过
OWASP page的以下代码段?
import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; // catching unsupported features ... DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); try { // This is the PRIMARY defense. If DTDs (doctypes) are disallowed,almost all XML entity attacks are prevented // Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; dbf.setFeature(FEATURE,true); // If you can't completely disable DTDs,then at least do the following: // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities FEATURE = "http://xml.org/sax/features/external-general-entities"; dbf.setFeature(FEATURE,false); // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities FEATURE = "http://xml.org/sax/features/external-parameter-entities"; dbf.setFeature(FEATURE,false); // and these as well,per Timothy Morgan's 2014 paper: "XML Schema,DTD,and Entity Attacks" (see reference below) dbf.setXIncludeAware(false); dbf.setExpandEntityReferences(false); // And,per Timothy Morgan: "If for some reason support for inline DOCTYPEs are a requirement,then // ensure the entity settings are disabled (as shown above) and beware that SSRF attacks // (http://cwe.mitre.org/data/definitions/918.html) and denial // of service attacks (such as billion laughs or decompression bombs via "jar:") are a risk." // remaining parser logic ... catch (ParserConfigurationException e) { // This should catch a failed setFeature feature logger.info("ParserConfigurationException was thrown. The feature '" + FEATURE + "' is probably not supported by your XML processor."); ... } catch (SAXException e) { // On Apache,this should be thrown when disallowing DOCTYPE logger.warning("A DOCTYPE was passed into the XML document"); ... } catch (IOException e) { // XXE that points to a file that doesn't exist logger.error("IOException occurred,XXE may still possible: " + e.getMessage()); ... } (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |