rspec/rules/S6376/java/rule.adoc

XML parsers Denial of Service attacks target XML parsers, which are software components responsible for parsing and interpreting XML documents.

== Why is this an issue?

XML files are complex data structures. When a malicious user is able to submit an XML file, it triggers complex processing that may overwhelm the parser. Most of the time, those complex processing are enabled by default, and XML parsers do not take preventive measures against Denial of Service attacks.

=== What is the potential impact?

When an attacker successfully exploits the vulnerability, it can lead to a Denial of Service (DoS) condition.

=== System Unavailability

Affected system becomes unresponsive or crashes, rendering it unavailable to legitimate users. This can have severe consequences, especially for critical systems that rely on continuous availability, such as web servers, APIs, or network services.

=== Amplification Attacks

In some cases, XML parsers Denial of Service attacks can be used as a part of larger-scale amplification attacks. By leveraging the vulnerability, attackers can generate a disproportionately large response from the targeted system, amplifying the impact of their attack. This can result in overwhelming network bandwidth and causing widespread disruption.

include::how-to-fix-it/java-se.adoc[]

include::how-to-fix-it/dom4j.adoc[]

include::how-to-fix-it/jdom2.adoc[]

== Resources

=== Documentation

* Java Documentation - https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilderFactory Class]
* Java Documentation - https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/javax/xml/parsers/SAXParserFactory.html[SAXParserFactory Class]
* Java Documentation - https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/javax/xml/validation/SchemaFactory.html[SchemaFactory Class]
* Java Documentation - https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/javax/xml/transform/TransformerFactory.html[TransformerFactory Class]
* Java Documentation - https://docs.oracle.com/en/java/javase/21/security/java-api-xml-processing-jaxp-security-guide.html[Java API for XML Processing (JAXP) Security Guide]
* Dom4j Documentation - https://dom4j.github.io/javadoc/2.1.4/org/dom4j/io/SAXReader.html[SAXReader Class]
* Jdom2 Documentation - https://javadoc.io/static/org.jdom/jdom2/2.0.6.1/org/jdom2/input/SAXBuilder.html[SAXBuilder class]
* OWASP - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java[XXE Prevention Cheat Sheet]

=== Standards

* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
* OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)]
* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation]
* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration]
* CWE - https://cwe.mitre.org/data/definitions/776[CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')]
* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222593[Application Security and Development: V-222593] - XML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways.
* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222667[Application Security and Development: V-222667] - Protections against DoS attacks must be implemented.
* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks.


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Enable XML parsing limitations to prevent Denial of Service attacks.


'''
== Comments And Links
(visible only on this page)

=== on 25 Jan 2022, 10:34:00 Quentin Jaquier wrote:
Quick fixes (for Java): even if it is technically possible to provide a fix that would result in compliant code, it does not sound wise to set properties blindly, as it can have side effects. Fixing the issue requires a careful and good understanding of the overall context of the code.

endif::env-github,rspecator-view[]
Modify rule S6376: Change text to education framework format (APPSEC-1109) (#3161) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 14:39:25 +02:00			`XML parsers Denial of Service attacks target XML parsers, which are software components responsible for parsing and interpreting XML documents.`
Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566) 2022-01-21 16:46:55 +01:00
Modify rule S6376: Change text to education framework format (APPSEC-1109) (#3161) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 14:39:25 +02:00			`== Why is this an issue?`
Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566) 2022-01-21 16:46:55 +01:00
Modify rule S6376: Change text to education framework format (APPSEC-1109) (#3161) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 14:39:25 +02:00			`XML files are complex data structures. When a malicious user is able to submit an XML file, it triggers complex processing that may overwhelm the parser. Most of the time, those complex processing are enabled by default, and XML parsers do not take preventive measures against Denial of Service attacks.`
Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566) 2022-01-21 16:46:55 +01:00
Modify rule S6376: Change text to education framework format (APPSEC-1109) (#3161) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 14:39:25 +02:00			`=== What is the potential impact?`
Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566) 2022-01-21 16:46:55 +01:00
Modify rule S6376: Fix broken link (#4208) 2024-08-29 16:59:57 +02:00			`When an attacker successfully exploits the vulnerability, it can lead to a Denial of Service (DoS) condition.`
Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566) 2022-01-21 16:46:55 +01:00
Modify rule S6376: Change text to education framework format (APPSEC-1109) (#3161) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 14:39:25 +02:00			`=== System Unavailability`
Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566) 2022-01-21 16:46:55 +01:00
Modify rule S6376: Change text to education framework format (APPSEC-1109) (#3161) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 14:39:25 +02:00			`Affected system becomes unresponsive or crashes, rendering it unavailable to legitimate users. This can have severe consequences, especially for critical systems that rely on continuous availability, such as web servers, APIs, or network services.`
Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566) 2022-01-21 16:46:55 +01:00
Modify rule S6376: Change text to education framework format (APPSEC-1109) (#3161) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 14:39:25 +02:00			`=== Amplification Attacks`
Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566) 2022-01-21 16:46:55 +01:00
Modify rule S6376: Change text to education framework format (APPSEC-1109) (#3161) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 14:39:25 +02:00			`In some cases, XML parsers Denial of Service attacks can be used as a part of larger-scale amplification attacks. By leveraging the vulnerability, attackers can generate a disproportionately large response from the targeted system, amplifying the impact of their attack. This can result in overwhelming network bandwidth and causing widespread disruption.`
Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566) 2022-01-21 16:46:55 +01:00
Modify rule S6376: Change text to education framework format (APPSEC-1109) (#3161) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 14:39:25 +02:00			`include::how-to-fix-it/java-se.adoc[]`
Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566) 2022-01-21 16:46:55 +01:00
Modify rule S6376: Change text to education framework format (APPSEC-1109) (#3161) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 14:39:25 +02:00			`include::how-to-fix-it/dom4j.adoc[]`
Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566) 2022-01-21 16:46:55 +01:00
Modify rule S6376: Change text to education framework format (APPSEC-1109) (#3161) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 14:39:25 +02:00			`include::how-to-fix-it/jdom2.adoc[]`
Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566) 2022-01-21 16:46:55 +01:00
Modify rule S6376: Change text to education framework format (APPSEC-1109) (#3161) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 14:39:25 +02:00			`== Resources`
Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566) 2022-01-21 16:46:55 +01:00
Modify rule S6376: Change text to education framework format (APPSEC-1109) (#3161) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 14:39:25 +02:00			`=== Documentation`
Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566) 2022-01-21 16:46:55 +01:00
Modify rule S6376: Change text to education framework format (APPSEC-1109) (#3161) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 14:39:25 +02:00			`* Java Documentation - https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/javax/xml/parsers/DocumentBuilderFactory.html[DocumentBuilderFactory Class]`
			`* Java Documentation - https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/javax/xml/parsers/SAXParserFactory.html[SAXParserFactory Class]`
			`* Java Documentation - https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/javax/xml/validation/SchemaFactory.html[SchemaFactory Class]`
			`* Java Documentation - https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/javax/xml/transform/TransformerFactory.html[TransformerFactory Class]`
			`* Java Documentation - https://docs.oracle.com/en/java/javase/21/security/java-api-xml-processing-jaxp-security-guide.html[Java API for XML Processing (JAXP) Security Guide]`
			`* Dom4j Documentation - https://dom4j.github.io/javadoc/2.1.4/org/dom4j/io/SAXReader.html[SAXReader Class]`
Modify rule S6376: Fix broken link (#4208) 2024-08-29 16:59:57 +02:00			`* Jdom2 Documentation - https://javadoc.io/static/org.jdom/jdom2/2.0.6.1/org/jdom2/input/SAXBuilder.html[SAXBuilder class]`
Modify rule S6376: Change text to education framework format (APPSEC-1109) (#3161) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 14:39:25 +02:00			`* OWASP - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java[XXE Prevention Cheat Sheet]`
Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566) 2022-01-21 16:46:55 +01:00
Modify rule S6376: Change text to education framework format (APPSEC-1109) (#3161) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 14:39:25 +02:00			`=== Standards`
Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566) 2022-01-21 16:46:55 +01:00
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]`
			`* OWASP - https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)[Top 10 2017 Category A4 - XML External Entities (XXE)]`
Update security rules: add OWASP Mobile Top 10 2024 security standard (APPSEC-2383) (#4660) 2025-02-19 17:19:00 +01:00			`* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation[Mobile Top 10 2024 Category M4 - Insufficient Input/Output Validation]`
			`* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration]`
Modify rule S6376: Change text to education framework format (APPSEC-1109) (#3161) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 14:39:25 +02:00			`* CWE - https://cwe.mitre.org/data/definitions/776[CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')]`
Modify rules: Add STIG AS&D 2023-06-08 mappings (#3914) * Update JSON schema to include STIG ASD 2023-06-08 mapping * Update rules to add STIG metadata mappings --------- Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> 2024-05-06 07:56:31 +01:00			`* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222593[Application Security and Development: V-222593] - XML-based applications must mitigate DoS attacks by using XML filters, parser options, or gateways.`
			`* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222667[Application Security and Development: V-222667] - Protections against DoS attacks must be implemented.`
			`* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608[Application Security and Development: V-222608] - The application must not be vulnerable to XML-oriented attacks.`

Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566) 2022-01-21 16:46:55 +01:00
			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Enable XML parsing limitations to prevent Denial of Service attacks.`

Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566) 2022-01-21 16:46:55 +01:00
			`'''`
Document quick fixes for S2755, S6373, S6374, S6376 and S6377 (#745) 2022-01-25 13:38:33 +01:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 25 Jan 2022, 10:34:00 Quentin Jaquier wrote:`
			`Quick fixes (for Java): even if it is technically possible to provide a fix that would result in compliant code, it does not sound wise to set properties blindly, as it can have side effects. Fixing the issue requires a careful and good understanding of the overall context of the code.`

Create rule S6376[Java]: XML parsers should not be vulnerable to Denial of Service attacks (#566) 2022-01-21 16:46:55 +01:00			`endif::env-github,rspecator-view[]`