宁波高防服务器是如何修复xxe漏洞的？

高防主机作者：宁波机房-大宇2021-02-01 02:55:37

宁波高防服务器租用的技术给你分析一些干货，使用java对xxe漏洞进行修复的方法：

xxe漏洞代码：

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();

String FEATURE = null;

// dbf.setExpandEntityReferences无法防止xxe

dbf.setExpandEntityReferences(false);

DocumentBuilder documentBuilder = dbf.newDocumentBuilder();

Document document = documentBuilder.parse(new File("poc.xml"));

xxe漏洞修复代码：

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();

String FEATURE = null;

FEATURE = "http://apache. org/xml/features/disallow-doctype-decl";

dbf.setFeature(FEATURE, true);

FEATURE = "http://xml. org/sax/features/external-general-entities";

dbf.setFeature(FEATURE, false);

FEATURE = "http://xml. org/sax/features/external-parameter-entities";

dbf.setFeature(FEATURE, false);

FEATURE = "http://apache. org/xml/features/nonvalidating/load-external-dtd";

dbf.setFeature(FEATURE, false);

dbf.setXIncludeAware(false);

// dbf.setExpandEntityReferences无法防止xxe

dbf.setExpandEntityReferences(false);

DocumentBuilder documentBuilder = dbf.newDocumentBuilder();