Skip to content

LeadroyaL/java-xxe-defense-demo

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

java-xxe-defense-demo

2018年8月,在微信支付SDK的XXE影响下,写了百分百可以防御住的demo,并且经过了配置,有些配置是冗余的。

2019年7月,重新测试了每个设置对XXE的影响,之前为了保险建议全部都添加,现在筛选出了起作用的和不起作用的设置。

测试方式是使用两种poc,看是否可以读取到文件,一种是使用通用实体(external-general-entity),将文件内容打到xml的内容里,一种是使用参数实体(external-parameter-entity),将文件内容外带。

配合攻击demo食用更佳:https://github.com/LeadroyaL/java_xxe_2019

有效的防御方式的列表

FEATURE String
A http://javax.xml.XMLConstants/feature/secure-processing
B http://apache.org/xml/features/disallow-doctype-decl
C http://xml.org/sax/features/external-parameter-entities
D http://xml.org/sax/features/external-general-entities
E http://javax.xml.XMLConstants/property/accessExternalDTD
F http://javax.xml.XMLConstants/property/accessExternalStylesheet
G http://javax.xml.XMLConstants/property/accessExternalSchema
H javax.xml.stream.supportDTD
I javax.xml.stream.isSupportingExternalEntities
组件 FEATURE 作用
DocumentBuilderFactory A 禁用DTD
DocumentBuilderFactory B 禁用DTD
DocumentBuilderFactory C 可挡blind-xxe
DocumentBuilderFactory D 可挡回显xxe
SAXBuilder A 禁用DTD
SAXBuilder C 可挡blind-xxe
SAXParserFactory B 禁用DTD
SAXParserFactory C 可挡blind-xxe
SAXParserFactory D 不确定,因为默认无回显
SAXReader B 禁用DTD
SAXReader C 可挡blind-xxe
SAXReader D 可挡回显xxe
SAXTransformerFactory E 禁用DTD
SAXTransformerFactory F 不确定,引入额外stylesheet没有攻击成功
SchemaFactory E 禁用DTD
SchemaFactory G 不确定,引入额外schema没有攻击成功
TransformerFactory E 禁用DTD
TransformerFactory F 不确定,引入额外stylesheet没有攻击成功
Unmarshaller - 默认禁用DTD
Validator E 禁用DTD
Validator G 不确定,引入额外schema没有攻击成功
XMLInputFactory H 禁用DTD
XMLInputFactory I 禁用DTD
XMLReaderFactory B 禁用DTD
XMLReaderFactory C 可挡blind-xxe
XMLReaderFactory D 不确定,因为默认无回显

输出全部支持的feature和properties:

com.sun.org.apache.xerces.internal.impl.Constants.Main(String[] args)

推荐的最小化配置(出锅了别怪我)

一般来说,禁用了DTD就万事大吉了,禁用了通用实体就不会被回显,禁用了参数实体就不会被oob。

DocumentBuilderFactory_v1

    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    String FEATURE = null;
    FEATURE = XMLConstants.FEATURE_SECURE_PROCESSING;
    dbf.setFeature(FEATURE, true);
    DocumentBuilder builder = dbf.newDocumentBuilder();

DocumentBuilderFactory_v2

    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    String FEATURE = null;
    FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
    dbf.setFeature(FEATURE, true);
    DocumentBuilder builder = dbf.newDocumentBuilder();

DocumentBuilderFactory_v3

    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    String FEATURE = null;
    FEATURE = "http://xml.org/sax/features/external-parameter-entities";
    dbf.setFeature(FEATURE, false);
    FEATURE = "http://xml.org/sax/features/external-general-entities";
    dbf.setFeature(FEATURE, false);
    DocumentBuilder builder = dbf.newDocumentBuilder();

SAXBuilder

    SAXBuilder builder = new SAXBuilder();
    builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    Document doc = builder.build(ResourceUtils.getPoc1());

SAXParserFactory

    SAXParserFactory spf = SAXParserFactory.newInstance();
    spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    SAXParser parser = spf.newSAXParser();
    parser.parse(ResourceUtils.getPoc1(), (HandlerBase) null);

SAXReader_v1

    SAXReader saxReader = new SAXReader();
    saxReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    org.dom4j.Document doc = saxReader.read(ResourceUtils.getPoc1());

SAXReader_v2

    SAXReader saxReader = new SAXReader();
    saxReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
    saxReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
    org.dom4j.Document doc = saxReader.read(ResourceUtils.getPoc1());

SAXTransformerFactory

    SAXTransformerFactory sf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
    sf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
    StreamSource source = new StreamSource(ResourceUtils.getPoc3());
    sf.newXMLFilter(source);

SchemaFactory

    SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
    factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
    StreamSource source = new StreamSource(ResourceUtils.getPoc1());
    Schema schema = factory.newSchema(source);

TransformerFactory

    TransformerFactory tf = TransformerFactory.newInstance();
    tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
    StreamSource source = new StreamSource(ResourceUtils.getPoc1());
    tf.newTransformer().transform(source, new DOMResult());

Unmarshaller

    Class tClass = Person.class;
    JAXBContext context = JAXBContext.newInstance(tClass);
    Unmarshaller um = context.createUnmarshaller();
    Object o = um.unmarshal(ResourceUtils.getPoc2());
    tClass.cast(o);

Validator

    SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
    Schema schema = factory.newSchema();
    Validator validator = schema.newValidator();
    validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
    StreamSource source = new StreamSource(ResourceUtils.getPoc1());
    validator.validate(source);

XMLInputFactory_v1

    XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
    xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
    XMLStreamReader reader = xmlInputFactory.createXMLStreamReader(ResourceUtils.getPoc1());

XMLInputFactory_v2

    XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
    xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
    XMLStreamReader reader = xmlInputFactory.createXMLStreamReader(ResourceUtils.getPoc1());

XMLReader

    XMLReader reader = XMLReaderFactory.createXMLReader();
    reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    reader.parse(new InputSource(ResourceUtils.getPoc1()));

About

java xxe defense demo

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published