Secure APIs against XEE Attacks (XML Injection Attacks)

This article discusses XML External Entity (XEE) attacks, which can occur when XML payloads are parsed at runtime.

Types of XEE Attacks

• XML Injection Attacks: Involve external URL or schema file references in the XML payload. These can lead to Denial of Service (DoS) if they point to URLs that never return, or potentially allow access to server files if file system access is not properly restricted.
• XML Expansion Attacks: Use recursive or very large doctype references in the XML payload, such as the "LOL attack," to consume server resources.

Mitigation for RestEasy (Java)

To secure APIs, especially when using RestEasy, implement a custom javax.ws.rs.ext.MessageBodyReader<Object> and configure the javax.xml.bind.Unmarshaller instance with specific security features.

The recommended SAXParserFactory settings to prevent XEE attacks are:

• factory.setFeature("http://xml.org/sax/features/validation", false);
• factory.setFeature("http://xml.org/sax/features/namespaces", true);
• factory.setFeature("http://xml.org/sax/features/external-general-entities", false); (Crucial for preventing external entity resolution)
• factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); (Crucial for preventing external parameter entity resolution)
• factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); (Enables secure processing)
• factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); (Prevents Doctype declarations, mitigating XML Expansion attacks)

The article concludes by showing how to use the configured XMLReader with an Unmarshaller and SAXSource to safely unmarshal XML input.