Unsanitized user input in XML External Entity

Overview

Rule ID: java_lang_xml_external_entity_vulnerability
Applicable Languages: Java
Weakness ID: CWE-611

Description

Avoid parsing untrusted data, such as user input, as XML. Such data may include URIs that resolve to resources outside the current context, leading to XML External Entity (XXE) injection. XXE injection occurs when XML input with references to external entities is processed without proper sanitization, potentially allowing attackers to access internal files, cause denial of service, or execute remote code.

Remediation Guidelines

Do not parse XML input with external entity processing enabled. This prevents attackers from exploiting XXE vulnerabilities.

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUnsanitized user input in SQL catalog configuration NextUnsanitized User Input in XPath

Last updated 1 year ago

hashtagOverview

hashtagDescription

hashtagRemediation Guidelines

hashtagReferences

hashtagConfiguration

Overview

Description

Remediation Guidelines

References

Configuration