Java-xxe-vulnerability-search-semgrep-remediation

Vulnerable Java repository: Javulna

Overview

This repository aims to demystify Java XXE vulnerability, offering both theoretical insights and practical remediation tactics. We use the Java repository edu-secmachine/javulna for hands-on exploitation and remediation demonstrations.

If you wish to see the blog post of this repository please click to this link.

---

Static Analysis with Semgrep: A Docker-Integrated Approach

We employ Semgrep for static analysis. The following command initiates the scan:

docker run --rm -v ${PWD}:/src returntocorp/semgrep semgrep --config p/owasp-top-ten --json -o /src/semgrepscan-results.json

---

Exploitation with XXE

The below image showcases the terminal execution, revealing a successful XXE exploit.

---

Anatomy of the XXE Exploit

The XML snippet responsible for the XXE attack is broken down as follows:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

• XML Declaration: Specifies the XML version and encoding.
• DTD: Defines the XML structure and is pivotal in this attack.
• XML Content: Houses the root element and invokes the malicious entity.

---

Remediation: Securing XML Parsing in Java

Here's a snippet showcasing the remediation code:

DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

---

Alternative Strategies

• Use OWASP's ESAPI
• Disable DTDs
• Implement strict schema validation

---

Bonus: Semgrep Limitations

Post-remediation, Semgrep still flagged the code as vulnerable, suggesting the need for rule updates.

---

Differences between Remediations/Rules

The false positives generated by static analysis tools can lead to unnecessary time expenditures and security risks.

---

References

1. Java-Remediation-Guidance-for-XXE
2. OWASP-XXE-Vulnerabilities
3. Semgrep-OWASP-Top-Ten
4. Portswigger-on-XXE
5. Vulnerable-GitHub-Repository
6. Medium Blog-Mert-Can-Coskuner

Directory and Folders of Repository

• assets (screenshots while demonstrating the research)
• codes-of-scenarios (case scenarios, remediation and exploitations)
• remediated-for-both (Code remediated for both rules and results.)
• .gitignore
• README.md