2023-02-15 13:29:53 +02:00
|
|
|
title: Potential XXE Exploitation Attempt In JVM Based Application
|
|
|
|
|
id: c4e06896-e27c-4583-95ac-91ce2279345d
|
2024-01-01 09:00:51 +01:00
|
|
|
status: test
|
2023-02-15 13:29:53 +02:00
|
|
|
description: Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
|
|
|
|
|
references:
|
|
|
|
|
- https://rules.sonarsource.com/java/RSPEC-2755
|
|
|
|
|
- https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
|
|
|
|
|
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
|
|
|
|
|
author: Moti Harmats
|
2024-08-12 12:02:50 +02:00
|
|
|
date: 2023-02-11
|
2023-02-15 13:29:53 +02:00
|
|
|
tags:
|
2024-08-12 12:02:50 +02:00
|
|
|
- attack.initial-access
|
2023-02-15 13:29:53 +02:00
|
|
|
- attack.t1190
|
|
|
|
|
logsource:
|
|
|
|
|
category: application
|
|
|
|
|
product: jvm
|
|
|
|
|
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
|
|
|
|
|
detection:
|
|
|
|
|
keywords:
|
|
|
|
|
- 'SAXParseException'
|
|
|
|
|
- 'DOMException'
|
|
|
|
|
condition: keywords
|
|
|
|
|
falsepositives:
|
2023-02-20 14:08:28 +01:00
|
|
|
- If the application expects to work with XML there may be parsing issues that don't necessarily mean XXE.
|
2023-02-15 13:29:53 +02:00
|
|
|
level: high
|
