I have a Grails 2.4.4 application that was recently scanned by our security team, and we found that the application was open to XXE attacks. The Grails 2.4.x documents api suggests that the HttpServletRequest is enhanced with an XmlSlurper instance. Is there some way to avoid XML parsing of an incoming payload if we don't want the method to accept an XML payload? It is my understanding that XXE leaves us vulnerable to external entities exploits relating to doctype entities. Is the core Grails 2.4.4 code initiating the XmlSlurper instance with the proper parameters to avoid the use of DOCTYPE declarations in XML payloads - it seems that we are vulnerable to this. How can we make sure that an attack won't send us large XML files as input to any Grails controller method accepting POST requests? Researching XXE exploits shows that we are also vulnerable to DOS attacks. I have not been able to find much in my searching on the Grails side of things regarding these types of exploits, which makes me wonder if I am missing something that Grails is doing to mitigate the issue. Please let me know if I need to provide more detail, and thanks for the help.
No comments:
Post a Comment