温馨提示×

xxe漏洞是如何修复的

九三
1011
2021-01-30 18:42:15
栏目: 网络安全

xxe漏洞是如何修复的

使用java对xxe漏洞进行修复的方法

xxe漏洞代码:

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();

String FEATURE = null;

// dbf.setExpandEntityReferences无法防止xxe

dbf.setExpandEntityReferences(false);

DocumentBuilder documentBuilder = dbf.newDocumentBuilder();

Document document = documentBuilder.parse(new File("poc.xml"));

xxe漏洞修复代码:

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();

String FEATURE = null;

FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";

dbf.setFeature(FEATURE, true);

FEATURE = "http://xml.org/sax/features/external-general-entities";

dbf.setFeature(FEATURE, false);

FEATURE = "http://xml.org/sax/features/external-parameter-entities";

dbf.setFeature(FEATURE, false);

FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";

dbf.setFeature(FEATURE, false);

dbf.setXIncludeAware(false);

// dbf.setExpandEntityReferences无法防止xxe

dbf.setExpandEntityReferences(false);

DocumentBuilder documentBuilder = dbf.newDocumentBuilder();

0