Nasreddine Bencherchali
598d29f811
chore: change tags, date, modified fields to comply with v2 of the Sigma spec. chore: update the related type from `obsoletes` to `obsolete`. chore: update local json schema to the latest version.
26 lines
1011 B
YAML
26 lines
1011 B
YAML
title: Potential XXE Exploitation Attempt In JVM Based Application
|
|
id: c4e06896-e27c-4583-95ac-91ce2279345d
|
|
status: test
|
|
description: Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
|
|
references:
|
|
- https://rules.sonarsource.com/java/RSPEC-2755
|
|
- https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
|
|
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
|
|
author: Moti Harmats
|
|
date: 2023-02-11
|
|
tags:
|
|
- attack.initial-access
|
|
- attack.t1190
|
|
logsource:
|
|
category: application
|
|
product: jvm
|
|
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
|
|
detection:
|
|
keywords:
|
|
- 'SAXParseException'
|
|
- 'DOMException'
|
|
condition: keywords
|
|
falsepositives:
|
|
- If the application expects to work with XML there may be parsing issues that don't necessarily mean XXE.
|
|
level: high
|