Skip to content

kondukto-io/java-xxe-vulnerability-search-semgrep-remediation

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits

assets

assets

 
 

codes-of-scenarios

codes-of-scenarios

 
 

owasp-top-ten-rule-Changed

owasp-top-ten-rule-Changed

 
 

remediated-for-both

remediated-for-both

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

Repository files navigation

Java-xxe-vulnerability-search-semgrep-remediation

Vulnerable Java repository: Javulna

Overview

This repository aims to demystify Java XXE vulnerability, offering both theoretical insights and practical remediation tactics. We use the Java repository edu-secmachine/javulna for hands-on exploitation and remediation demonstrations.

If you wish to see the blog post of this repository please click to this link.

XXE Exploit

Static Analysis with Semgrep: A Docker-Integrated Approach

We employ Semgrep for static analysis. The following command initiates the scan:

docker run --rm -v ${PWD}:/src returntocorp/semgrep semgrep --config p/owasp-top-ten --json -o /src/semgrepscan-results.json

Semgrep Scan

Exploitation with XXE

The below image showcases the terminal execution, revealing a successful XXE exploit.

Terminal Execution

Anatomy of the XXE Exploit

The XML snippet responsible for the XXE attack is broken down as follows:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
  • XML Declaration: Specifies the XML version and encoding.
  • DTD: Defines the XML structure and is pivotal in this attack.
  • XML Content: Houses the root element and invokes the malicious entity.

XML Payload

Remediation: Securing XML Parsing in Java

Here's a snippet showcasing the remediation code:

DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

Secure Code Execution

Alternative Strategies

  • Use OWASP's ESAPI
  • Disable DTDs
  • Implement strict schema validation

Bonus: Semgrep Limitations

Post-remediation, Semgrep still flagged the code as vulnerable, suggesting the need for rule updates.

Differences between Remediations/Rules

The false positives generated by static analysis tools can lead to unnecessary time expenditures and security risks.

After Remediation OWASP

References

  1. Java-Remediation-Guidance-for-XXE
  2. OWASP-XXE-Vulnerabilities
  3. Semgrep-OWASP-Top-Ten
  4. Portswigger-on-XXE
  5. Vulnerable-GitHub-Repository
  6. Medium Blog-Mert-Can-Coskuner

Directory and Folders of Repository

About

XXE vulnerability searched by semgrep, remediation and exploitaiton.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages