Potential XXE Exploitation Attempt In JVM Based Application

 1title: Potential XXE Exploitation Attempt In JVM Based Application
 2id: c4e06896-e27c-4583-95ac-91ce2279345d
 3status: test
 4description: Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
 5references:
 6    - https://rules.sonarsource.com/java/RSPEC-2755
 7    - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
 8    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
 9author: Moti Harmats
10date: 2023/02/11
11tags:
12    - attack.initial_access
13    - attack.t1190
14logsource:
15    category: application
16    product: jvm
17    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
18detection:
19    keywords:
20        - 'SAXParseException'
21        - 'DOMException'
22    condition: keywords
23falsepositives:
24    - If the application expects to work with XML there may be parsing issues that don't necessarily mean XXE.
25level: high

References

• Java static code analysis

  

  Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

  
  Read More

• XML External Entity (XXE) Processing | OWASP Foundation

  

  XML External Entity (XXE) Processing on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.

  
  Read More

• Threat and Vulnerability Hunting with Application Server Error Logs

  

  IntroductionWhen doing application security at scale, you have to make peace with the fact that some issues may as well find their way into production. While we work hard to make sure this almost never happens, we understand that it’s just a fact of life that sometimes some things can slip into production without proper security controls.Photo by Mahdi Bafande on UnsplashThat’s why in addition to constantly “shifting left” our efforts and trying to secure all frameworks “by design”, one of the c

  
  Read More

Related rules

• Potential CVE-2022-21587 Exploitation Attempt
• Potential CVE-2023-23752 Exploitation Attempt
• Potential JNDI Injection Exploitation In JVM Based Application
• Potential Local File Read Vulnerability In JVM Based Application
• Potential OGNL Injection Exploitation In JVM Based Application