The Java XML Binding (JAXB) runtime that ships with OpenJDK 1.8 uses a default configuration that protects against XML external entity (XXE) attacks. Contrast researched this secure default configuration and found that developers should not rely on it to protect their applications from XXE attacks. In this post, we explain why seemingly innocuous changes to the open-source libraries an application uses can affect the default configuration of JAXB, why the default configuration only applies to some JAXB application programming interfaces (APIs), and how Contrast helps development teams better protect applications from XXE attacks.
*** This is a Security Bloggers Network syndicated blog from Security Influencers Blog authored by Johnathan Gilday. Read the original post at: https://www.contrastsecurity.com/security-influencers/xml-xxe-pitfalls-with-jaxb
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.