发表新帖
发表新帖

How to prevent XXE attack ( XmlDocument in .net)

后端 未结
关注
2 672
盖世英雄少女心
盖世英雄少女心 2020-12-13 04:19

We had a security audit on our code, and they mentioned that our code is vulnerable to EXternal Entity (XXE) attack. I am using following code -

string OurOu
2条回答
  • 没有蜡笔的小新
    没有蜡笔的小新 (楼主)
    2020-12-13 04:59

    So its better to use

    new XmlDocument { XmlResolver = null };

    Interestingly from .net 4.5.2 and 4.6, the default resolver behaves differently and does not use an XmlUrlResolver upfront implicitly to resolve any urls or locations as i seen.

    //In pre 4.5.2 it is a security issue.
//In 4.5.2 it will not resolve any more the url references in dtd and such, 
//Still better to avoid the below since it will trigger security warnings.
new XmlDocument();

    0 讨论(0)
 看不清?
提交回复
热议问题