Unsanitized user input in XML External Entity

Overview

• Rule ID: java_lang_xml_external_entity_vulnerability

• Applicable Languages: Java

• Weakness ID: CWE-611

Description

Avoid parsing untrusted data, such as user input, as XML. Such data may include URIs that resolve to resources outside the current context, leading to XML External Entity (XXE) injection. XXE injection occurs when XML input with references to external entities is processed without proper sanitization, potentially allowing attackers to access internal files, cause denial of service, or execute remote code.

Remediation Guidelines

• Do not parse XML input with external entity processing enabled. This prevents attackers from exploiting XXE vulnerabilities.

References

• OWASP XML External Entity (XXE) prevention cheat sheet

• CWE-611: Improper Restriction of XML External Entity Reference

• OWASP Top 10: A05:2021 - Security Misconfiguration

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL