Potential XXE Exploitation Attempt In JVM Based Application

calendar Aug 12, 2024 · attack.initial-access attack.t1190  ·
Share on: linkedin copy

Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.

Sigma rule (View on GitHub)

 1title: Potential XXE Exploitation Attempt In JVM Based Application
 2id: c4e06896-e27c-4583-95ac-91ce2279345d
 3status: test
 4description: Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
 5references:
 6    - https://rules.sonarsource.com/java/RSPEC-2755
 7    - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
 8    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
 9author: Moti Harmats
10date: 2023-02-11
11tags:
12    - attack.initial-access
13    - attack.t1190
14logsource:
15    category: application
16    product: jvm
17    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
18detection:
19    keywords:
20        - 'SAXParseException'
21        - 'DOMException'
22    condition: keywords
23falsepositives:
24    - If the application expects to work with XML there may be parsing issues that don't necessarily mean XXE.
25level: high

References

  • Java static code analysis

    Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code


    Read More

  • XML External Entity (XXE) Processing | OWASP Foundation

    XML External Entity (XXE) Processing on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.


    Read More

  • Threat and Vulnerability Hunting with Application Server Error Logs

    IntroductionWhen doing application security at scale, you have to make peace with the fact that some issues may as well find their way into production. While we work hard to make sure this almost never happens, we understand that it’s just a fact of life that sometimes some things can slip into production without proper security controls.Photo by Mahdi Bafande on UnsplashThat’s why in addition to constantly “shifting left” our efforts and trying to secure all frameworks “by design”, one of the c


    Read More

Related rules

to-top