java代码审计--xxe

本文主要是介绍java代码审计--xxe，对大家解决编程问题具有一定的参考价值，需要的程序猿们随着小编来一起学习吧！

常见关键字

Documentbuilder
DocumentBuilderFactory
SAXReader
SAXParser
SAXParserFactory
SAXBuilder
TransformerFactory
reqXml
getInputStream
XMLReaderFactory
.newInstance
SchemaFactory
SAXTransformerFactory
javax.xml.bind
XMLReader
XmlUtils.get
Validator

java解析xml的方法有多种，比较常见的有四种：DOM、DOM4J、JDOM 和SAX。

//1. DocumentBuilder 原生、可回显
import javax.xml.parsers.DocumentBuilderFactory;
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbf.newDocumentBuilder();
StringReader sr = new StringReader(xml_con);
InputSource is = new InputSource(sr);
Document document = db.parse(is); 

//2. saxReader 第三方库
import org.dom4j.io.SAXReader;
SAXReader saxReader = new SAXReader();
Document document = saxReader.read(request.getInputStream());

//3. SAXBuilder 第三方库
import org.jdom2.input.SAXBuilder;
SAXBuilder builder = new SAXBuilder();  
Document document = builder.build(request.getInputStream());

//4. SAXParserFactory 原生、不可回显
import javax.xml.parsers.SAXParserFactory;
SAXParserFactory factory  = SAXParserFactory.newInstance(); 
SAXParser saxparser = factory.newSAXParser();
SAXHandler handler = new SAXHandler();  
saxparser.parse(request.getInputStream(), handler);

防御方法：

//实例化解析类之后通常会支持着三个配置
obj.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
obj.setFeature("http://xml.org/sax/features/external-general-entities", false);
obj.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

这篇关于java代码审计--xxe的文章就介绍到这儿，希望我们推荐的文章对大家有所帮助，也希望大家多多支持为之网！