Embedding Java bytecode in XML for harmful purposes

Question

Embedding Java bytecode in XML for harmful purposes

So, I was wondering if there is a way to send XML so that the XML contains the code in (bytecode) that the JVM will inadvertently execute. I am using java, so I think that compiled code will not work. I think I need to enter bytecode in XML in order to trick the JVM? I want to try to make sure that the web service that I create is safe. I use JAXB for xml marshalling unmarshalling and Jersey as a web service handler.

+3

java security xml jax-rs jaxb

denniss Jun 17 '11 at 0:47

source share

3 answers

, xml ( ), " ", . , jdk .

+2

jtahlborn 17 . '11 1:38

XML - , , .

But, of course, some XML dictionaries use data to contain what you can present as instructions for performing an action, and then the recipient may be tricked into performing inappropriate actions, which you might consider a security issue. This vulnerability is not at the XML level; it is at the application protocol level (dictionary). The attack will have to use instructions that make sense in the context of this protocol, which is much more likely to be something like <employee action="delete"/>than something at the bytecode level.

+1

Michael kay Jun 17 '11 at 10:04

source share

duffymo · Accepted Answer · 2011-06-17T00:53:29+0000

Accidentally? I do not think so.

The JAXB router is about to deserialize the XML values into the state of this object, but the class and its behavior will be decided by you. I do not see sending the original bytecode in XML and doing something harmful with it.

JSON, Java-, Rhino, .

, Java .

, .

Embedding Java bytecode in XML for harmful purposes

More articles: