All Questions
5 questions
1vote
2answers
854views
Java XXE vulnerability
If I am already using xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); then do I also need to use xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities",...
1vote
1answer
2kviews
Avoid cross site scripting in XML namespace
We have a legacy application on spring mvc and we have a web service exposed (SOAP protocol) for some reporting client app. This service was tested by a security team and the report indicates that the ...
7votes
0answers
3kviews
Can XXE be exploited when disallow-doctype-decl is set to true (Apache)?
I found out that an endpoint of a website may be vulnerable to XXE. It is using Unmarshal as an XML parser. When I try to send a post request using common XXE payloads, I receive the following ...
1vote
0answers
1kviews
Java XXE Injection - Billion Laughs doesn't work
I'm trying to reproduce several xxe attacks against a java web service. When i try to reproduce "Billion Laughs" i always get this: Exception in thread "main" org.xml.sax.SAXParseException; ...
- 131
3votes
1answer
1kviews
Java org.xmlpull.v1.XmlPullParser and XML External Entity (XXE) Processing Attacks
I'm evaluating the security of an Android application and the application is using the XmlPullParser included with Android. I'm having some difficulty getting any common attacks to work, but I want ...
- 505
