Requested Xxe examples

src/main/java/com/aspectsecurity/unittestsweb/xxetestcases/ExternalDTDDisabledParameterTestCase.java

@@ -0,0 +1,40 @@
+package com.aspectsecurity.unittestsweb.xxetestcases;
+
+import com.aspectsecurity.unittestsweb.XXETestCase;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+import org.xml.sax.XMLReader;
+
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParserFactory;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+
+@WebServlet({"/externaldtddisabledxmlparameter", "/externaldtddisabled"})
+public class ExternalDTDDisabledParameterTestCase extends XXETestCase {
+
+    @Override
+    protected void doTest(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        try {
+            final SAXParserFactory factory = SAXParserFactory.newInstance();
+            factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            final XMLReader reader = factory.newSAXParser().getXMLReader();
+            TestHandler testHandler = new TestHandler();
+            reader.setContentHandler(testHandler);
+            InputStream is = new ByteArrayInputStream(request.getParameter("payload").getBytes());
+            reader.parse(new InputSource(is)); // if contrast protect is blocking XXE, exception is thrown here.
+            // If testData were returned to the client, they would see secret/sensitive data.
+            printResults(false,  testHandler.getTestData(), response);
+        } catch (SAXException|SecurityException ex) {
+            printResults(true, ex, response);	// safe: exception thrown when parsing XML
+        } catch (ParserConfigurationException e) {
+            throw new IOException(e);
+        }
+    }
+
+}

src/main/java/com/aspectsecurity/unittestsweb/xxetestcases/JAXBUnsafeSaxSourceTestCase.java

@@ -0,0 +1,50 @@
+package com.aspectsecurity.unittestsweb.xxetestcases;
+
+import com.aspectsecurity.unittests.jaxb.BookType;
+import com.aspectsecurity.unittests.jaxb.Collection;
+import com.aspectsecurity.unittestsweb.XXETestCase;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBException;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParserFactory;
+import javax.xml.transform.sax.SAXSource;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.util.List;
+
+@WebServlet("/jaxbunsafesaxsource")
+public class JAXBUnsafeSaxSourceTestCase extends XXETestCase {
+
+
+    @Override
+    protected void doTest(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        try {
+            Unmarshaller unmarshaller = JAXBContext.newInstance(Collection.class).createUnmarshaller();
+            SAXSource saxSource = new SAXSource(
+                    SAXParserFactory.newInstance().newSAXParser().getXMLReader(),
+                    new InputSource(new ByteArrayInputStream(request.getParameter("payload").getBytes())));
+            Collection collection = unmarshaller.unmarshal(saxSource, Collection.class).getValue();
+            Collection.Books booksType = collection.getBooks();
+            List<BookType> bookList = booksType.getBook();
+            String discount = "";
+            for (BookType book : bookList) {
+                discount = book.getPromotion().getDiscount().trim();
+            }
+            printResults(false, discount, response);
+        }
+        catch (SecurityException ex) {
+            printResults(true, ex, response);	// safe: exception thrown when parsing XML
+        } catch (ParserConfigurationException|SAXException|JAXBException e) {
+            throw new IOException(e);
+        }
+    }
+
+
+}

src/main/java/com/aspectsecurity/unittestsweb/xxetestcases/SaxParserExternalDTDDisabledParameterTestCase.java

@@ -0,0 +1,43 @@
+package com.aspectsecurity.unittestsweb.xxetestcases;
+
+import com.aspectsecurity.unittestsweb.XXETestCase;
+import org.xml.sax.Attributes;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+import org.xml.sax.XMLReader;
+import org.xml.sax.helpers.DefaultHandler;
+
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParser;
+import javax.xml.parsers.SAXParserFactory;
+import java.io.*;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+
+
+@WebServlet({"/saxparserexternaldtddisabledxmlparameter","/saxparserexternaldtddisabled"})
+public class SaxParserExternalDTDDisabledParameterTestCase extends XXETestCase {
+    @Override
+    protected void doTest(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        try {
+            final SAXParserFactory factory = SAXParserFactory.newInstance();
+            factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            final SAXParser parser = factory.newSAXParser();
+            TestHandler testHandler = new TestHandler();
+            InputStream is = new ByteArrayInputStream(request.getParameter("payload").getBytes());
+            parser.parse(new InputSource(is), testHandler); // if contrast protect is blocking XXE, exception is thrown here.
+            // If testData were returned to the client, they would see secret/sensitive data.
+            printResults(false,  testHandler.getTestData(), response);
+        } catch (SAXException|SecurityException ex) {
+            printResults(true, ex, response);	// safe: exception thrown when parsing XML
+        } catch (ParserConfigurationException  e) {
+            throw new IOException(e);
+        }
+    }
+
+
+}

src/main/java/com/aspectsecurity/unittestsweb/xxetestcases/TestHandler.java

@@ -0,0 +1,46 @@
+package com.aspectsecurity.unittestsweb.xxetestcases;
+
+import org.xml.sax.Attributes;
+import org.xml.sax.SAXException;
+import org.xml.sax.helpers.DefaultHandler;
+
+/** Simple Handler that extracts the contents of any element named {@code <test>}. */
+public class TestHandler extends DefaultHandler {
+    private final StringBuilder testData;
+    boolean inTest;
+
+    public TestHandler() {
+        this.testData = new StringBuilder();
+        inTest = false;
+    }
+
+    @Override
+    public void startElement(String uri, String localName, String qName, Attributes attributes)
+            throws SAXException {
+        super.startElement(uri, localName, qName, attributes);
+        if ("test".equals(qName) || "test".equals(localName)) {
+            inTest = true;
+        }
+    }
+
+    @Override
+    public void endElement(String uri, String localName, String qName) throws SAXException {
+        if ("test".equals(qName) || "test".equals(localName)) {
+            inTest = false;
+        }
+        super.endElement(uri, localName, qName);
+    }
+
+    @Override
+    public void characters(char[] ch, int start, int length) throws SAXException {
+        if (inTest) {
+            testData.append(ch, start, length);
+        }
+        super.characters(ch, start, length);
+    }
+
+    public String getTestData() {
+        return testData.toString();
+    }
+}
+

src/main/resources/maliciousdtd.dtd

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+        <!ENTITY xxe "%param_xxe;">

src/main/resources/xxetest2web.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0"?>
+<!DOCTYPE test [
+        <!ENTITY % param_xxe SYSTEM "../../../src/main/resources/xxe.txt">
+        <!ENTITY % dtd SYSTEM "../../../../src/main/resources/maliciousdtd.dtd">
+        %dtd;
+        ]>
+<test>&xxe;</test>

src/main/webapp/index.jsp

@@ -51,6 +51,8 @@
 <ul>
 	<li><a href="https://docs.oracle.com/javase/7/docs/api/javax/xml/parsers/DocumentBuilder.html">javax.xml.parsers.<b>DocumentBuilder</b> (link to Javadoc)</a>
         <ol>
+            <li><a href="xmlview.jsp?title=<%= Encode.forUriComponent("Unsafe External DTD Disabled") %>&test=<%= Encode.forUriComponent("DocumentBuilder: Unsafe by Default Example") %>&var=<%= Encode.forUriComponent("externaldtddisabled") %>">External DTD Disabled</a></li>
+            <li><a href="xmlview.jsp?title=<%= Encode.forUriComponent("Unsafe External DTD Disabled Parameter") %>&test=<%= Encode.forUriComponent("DocumentBuilder: Unsafe by Default Parameter Example") %>&var=<%= Encode.forUriComponent("externaldtddisabledxmlparameter") %>">External DTD Disabled Parameter</a></li>
             <li><a href="xmlview.jsp?title=<%= Encode.forUriComponent("Unsafe DocumentBuilder") %>&test=<%= Encode.forUriComponent("DocumentBuilder: Unsafe by Default Example") %>&var=<%= Encode.forUriComponent("documentbuilderunsafedefault") %>">Unsafe by Default Example</a></li>
             <li><a href="xmlview.jsp?title=<%= Encode.forUriComponent("\"Safe\" DocumentBuilder") %>&test=<%= Encode.forUriComponent("DocumentBuilder: \"Safe\" when Disabling Entity Expansion Example (FAILURE)") %>&var=<%= Encode.forUriComponent("documentbuildersafeexpand") %>">"Safe" when Disabling Entity Expansion Example <span class="redText">(FAILURE)</span></a></li>
             <li><a href="xmlview.jsp?title=<%= Encode.forUriComponent("Safe DocumentBuilder") %>&test=<%= Encode.forUriComponent("DocumentBuilder: Safe when Disallowing DOCTYPE Declarations Example") %>&var=<%= Encode.forUriComponent("documentbuildersafedoctype") %>">Safe when Disallowing DOCTYPE Declarations Example</a></li>
@@ -66,6 +68,7 @@
         <ol start="<%= (testCount += 7) %>">
             <li><a href="xmlview.jsp?title=<%= Encode.forUriComponent("Unsafe JAXBContext") %>&test=<%= Encode.forUriComponent("JAXBContext: Unsafe (Safe in Java 1.8 and up) JAXBContext Unmarshaller from File Example") %>&var=<%= Encode.forUriComponent("jaxbunsafefile") %>">Unsafe (Safe in Java 1.8 and up) JAXBContext Unmarshaller from File Example</a></li>
             <li><a href="xmlview.jsp?title=<%= Encode.forUriComponent("Unsafe JAXBContext") %>&test=<%= Encode.forUriComponent("JAXBContext: Unsafe JAXBContext Unmarshaller from Unsafe XMLInputFactory Example") %>&var=<%= Encode.forUriComponent("jaxbunsafexmlinputfactory") %>">Unsafe JAXBContext Unmarshaller from Unsafe XMLInputFactory Example</a></li>
+            <li><a href="xmlview.jsp?title=<%= Encode.forUriComponent("Unsafe JAXBContext SaxSource") %>&test=<%= Encode.forUriComponent("JAXBContext: Unsafe JAXBContext Unmarshaller from Unsafe SaxSource") %>&var=<%= Encode.forUriComponent("jaxbunsafesaxsource") %>">Unsafe JAXBContext Unmarshaller from Unsafe SaxSource Example</a></li>
             <li><a href="xmlview.jsp?title=<%= Encode.forUriComponent("Safe JAXBContext") %>&test=<%= Encode.forUriComponent("JAXBContext: Safe JAXBContext Unmarshaller from Safe XMLInputFactory Example") %>&var=<%= Encode.forUriComponent("jaxbsafexmlinputfactory") %>">Safe JAXBContext Unmarshaller from Safe XMLInputFactory Example</a></li>
         </ol>
         <br />
@@ -93,6 +96,8 @@
             <li><a href="xmlview.jsp?title=<%= Encode.forUriComponent("Unsafe SAXParserFactory") %>&test=<%= Encode.forUriComponent("SAXParserFactory: Unsafe when Enabling External General and Parameter Entities Example") %>&var=<%= Encode.forUriComponent("saxparserfactoryunsafeexternal") %>">Unsafe when Enabling External General and Parameter Entities Example</a></li>
             <li><a href="xmlview.jsp?title=<%= Encode.forUriComponent("Unsafe SAXParserFactory") %>&test=<%= Encode.forUriComponent("SAXParserFactory: Unsafe when Disabling Validation Example") %>&var=<%= Encode.forUriComponent("saxparserfactoryunsafevalidationoff") %>">Unsafe when Disabling Validation Example</a></li>
             <li><a href="xmlview.jsp?title=<%= Encode.forUriComponent("Unsafe SAXParserFactory") %>&test=<%= Encode.forUriComponent("SAXParserFactory: Unsafe when Enabling Validation Example") %>&var=<%= Encode.forUriComponent("saxparserfactoryunsafevalidationon") %>">Unsafe when Enabling Validation Example</a></li>
+            <li><a href="xmlview.jsp?title=<%= Encode.forUriComponent("Unsafe SAXParserFactory") %>&test=<%= Encode.forUriComponent("SAXBuilder: Unsafe when DTD Disabled Example") %>&var=<%= Encode.forUriComponent("saxparserexternaldtddisabled") %>">Unsafe SAXParserFactory DTD Disabled</a></li>
+            <li><a href="xmlview.jsp?title=<%= Encode.forUriComponent("Unsafe SAXParserFactory") %>&test=<%= Encode.forUriComponent("SAXBuilder: Unsafe when DTD Disabled Example with Parameter Example") %>&var=<%= Encode.forUriComponent("saxparserexternaldtddisabledxmlparameter") %>">Unsafe SAXParserFactory DTD Disabled with Parameter</a></li>
         </ol>
         <br />
 	</li>

src/main/webapp/xmlview.jsp

@@ -70,6 +70,9 @@
 	    else if (request.getParameter("var").contains("xmldecoder")) {
 		in = new BufferedReader(new InputStreamReader(getClass().getResourceAsStream("/xxetestbeanweb.xml")));
 	    }
+        else if (request.getParameter("var").contains("xmlparameter")) {
+            in = new BufferedReader(new InputStreamReader(getClass().getResourceAsStream("/xxetest2web.xml")));
+        }
 	    else {
 		in = new BufferedReader(new InputStreamReader(getClass().getResourceAsStream("/xxetest1web.xml")));
 	    }