Here is the code snippet for a DomParser which I am using, The DomParser which I am using is of Oracle.
import oracle.xml.parser.v2.DOMParser;
DOMParser domParser = new DOMParser();
domParser.parse(new StringReader(xmlPayload));
Document doc = domParser.getDocument();
doc.getDocumentElement().normalize();
System.out.println("Root element :" + doc.getDocumentElement().getNodeName());
NodeList nList = doc.getElementsByTagName("student");
Recently our Security team has raised a concern that the above DOM parser is vulnerable to security attack and has come up with a recommendation on setting two attributes
domParser.setAttribute("RESOLVE_ENTITY_DEFAULT", true);
domParser.setAttribute("DEFAULT_ENTITY_EXPANSION_DEPTH", 150);
But on setting these attributes, I am getting the below error,
Exception in thread "main" java.lang.IllegalArgumentException
at oracle.xml.parser.v2.XMLParser.setAttribute(XMLParser.java:870)
at oracle.xml.parser.v2.DOMParser.setAttribute(DOMParser.java:538)
at DomParserExample.main(DomParserExample.java:20)
kindly let me know how can I prevent XML Entity Expansion injection and XXE attacks. I have tried looking into OWASP XEE Cheat Sheet and browsed through various questions and answers for XXE attack, but could not find a solution for this.
try this
domParser.setAttribute(XMLParser.RESOLVE_ENTITY_DEFAULT, true);
domParser.setAttribute(XMLParser.DEFAULT_ENTITY_EXPANSION_DEPTH, 150);