Documentbuilderfactory setvalidating dtd

If the XML file is too large, other Java APIs are available for parsing the XML.This post will describe some findings, problems and inisghts regarding XML External Entity Attacks (XXEA) that we gathered during a large-scale security analysis of several SAML interfaces.The DOM object can then be queries for various XML artifacts like elements, attributes, text nodes, etc.Java provides three different methods for parsing XML.During our study, only few applications responded with a specific error message, but in no case this message reflected any content from the SAML-Assertion.

Add Attribute( " Language", " Attribute( " Source", Schema Url);, using the JAXP parser.

All we need to know is: The bad thing about SAML and XXEA is that applications which verifies the SAML Assertions commonly do not reflect any content.

This means, that in contrast to the first given XXEA example, we are only able to read the content of a system resource using XXE, but we cannot simply send this content somewhere else so that it becomes accessible to the attacker. The only thing that is sent back to the user (attacker) is whether the login was successful or not.

XXEA has been a popular attack class in the last months, see for example This post will explain the basics of XXEA and how to adopt them to SAML, including some special problems you have to cope with.

First, we introduce the concept of Document Type Definition (DTD) and XML External Entity (XXE), and afterwards some basics on SAML.

Leave a Reply