En general, hablando, XXE es realmente fácil de defender: basta con desactivar las entidades externas en tu analizador XML (véase la Figura 24-1). La forma de hacerlo depende del analizador XML en cuestión, pero suele bastar con una sola línea de configuración:
OWASP señala que XXE es especialmente peligroso contra los analizadores XML basados en Java, ya que muchos tienen XXE activado por defecto. Dependiendo del lenguaje y del analizador en el que confíes, es posible que XXE esté desactivado por defecto.
Figura 24-1. Los ataques XXE pueden bloquearse fácilmente configurando adecuadamente tu analizador XML
Siempre debes consultar la documentación de la API de tu analizador XML para asegurarte, y no esperar simplemente que esté desactivado por defecto.
Evaluación de otros formatos de datos
Dependiendo de los casos de uso de tu aplicación, puede ser posible rediseñar la arquitectura de la aplicación para que dependa de un formato de datos diferente en lugar de XML. Este tipo de cambio podría simplificar la base de código, eliminando al mismo tiempo cualquier riesgo de XXE. Normalmente, XML puede intercambiarse con JSON, convirtiendo a JSON en el ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month, and much more.
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.
Julian F.
Head of Cybersecurity
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.
Addison B.
Field Engineer
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.
Amir M.
Data Platform Tech Lead
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.
