| package flex.messaging.securityadvisories; |
| |
| import com.sun.org.apache.xml.internal.serialize.OutputFormat; |
| import com.sun.org.apache.xml.internal.serialize.XMLSerializer; |
| import flex.messaging.util.DoubleUtil; |
| import flex.messaging.util.XMLUtil; |
| import junit.framework.Assert; |
| import junit.framework.TestCase; |
| import org.w3c.dom.Document; |
| |
| import java.io.File; |
| import java.io.PrintWriter; |
| import java.io.StringWriter; |
| |
| /** |
| * Created by christoferdutz on 23.07.15. |
| */ |
| |
| public class BlazeDsXmlProcessingXXEVulnerability extends TestCase { |
| |
| public void testVulnerability() throws Exception { |
| int secret = (int) (Math.random() * 1000); |
| |
| // Create a temp file containing a secret. |
| File temp = File.createTempFile("xxe-test", ".txt"); |
| PrintWriter out = new PrintWriter(temp); |
| out.println(Integer.toString(secret)); |
| out.close(); |
| |
| String uri = temp.toURI().toASCIIString(); |
| StringBuffer xml = new StringBuffer(512); |
| xml.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n"); |
| xml.append("<!DOCTYPE foo [\r\n"); |
| xml.append("<!ELEMENT foo ANY >\r\n"); |
| xml.append("<!ENTITY xxe SYSTEM \"" + uri + "\" >]>\r\n"); |
| xml.append("<foo>The Secret is: &xxe;</foo>"); |
| |
| Document data = XMLUtil.stringToDocument(xml.toString()); |
| |
| OutputFormat format = new OutputFormat(data); |
| StringWriter stringOut = new StringWriter(); |
| XMLSerializer serial = new XMLSerializer(stringOut, format); |
| serial.serialize(data); |
| |
| Assert.assertFalse(stringOut.toString().contains("The Secret is: " + Integer.toString(secret))); |
| } |
| |
| } |
