Monday, May 28, 2018

Re: XML Enternal Entity (XXE) Vurnability


On Monday, May 28, 2018 at 1:34:59 PM UTC+2, Deepak Antil wrote:
Is GWT is prone to XXE Vulnerability by default or it require any specific configuration for that?

TL;DR: No.
 
XML Prevention Sheet taking about settings for common XML parsers.
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

Not sure what internally configured in GWT internal used XML parsers.

GWT will (AFAIK) load and process XXEs of *.gwt.xml files when you compile, test or debug your code; but *.gwt.xml files will either be written by yourself/your team, or come from external dependencies, so you have to be just as careful as with any external code that you'll run on your machine.
com.google.gwt.xml.* or com.google.gwt.xhr.* defer to native browser APIs, so they're only vulnerable if your browser is vulnerable.
GWT does not make use of XML in its server-side code (for RPC or RequestFactory) and does not otherwise provide any XML parsing facility itself that would be vulnerable.

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment