How To Fix Veracode Information Leakage Risk (CWE 611).

Improper Restriction of XML External entity reference CWE ID 611. In this tutorial we will learn How to Configure the XML parser to disable external entity resolution.

Description : The product processes an XML document that can contain XML entities with URLs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. By default, the XML entity resolver will attempt to resolve and retrieve external references. If attacker-controlled XML can be submitted to one of these functions, then the attacker could gain access to information about an internal network, local filesystem, or other sensitive data. This is known as XML eXternal Entity (XXE) attack.

Recommendations : Configure the XML parser to disable entity resolution.

Solution : (Code Snippet)

Here we are assuming we are already getting SOAPMessage as response.

Unmarshaller unmarshaller = JAXBContext.newInstance(MyClass.class).createUnmarshaller();
XMLInputFactory xif = XMLInputFactory.newFactory();
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);

Transformer transformer = TransformerFactory.newInstance().newTransformer();
Node node = soapMessage.getSOAPBody().extractContentAsDocument();
StringWriter writer = new StringWriter();
transformaer.transform(new DOMSOurce(node), new…