← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potential XXE Exploitation Attempt In JVM Based Application

Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1190
Rule sourcerules/application/jvm/java_xxe_exploitation_attempt.yml
title: Potential XXE Exploitation Attempt In JVM Based Application
id: c4e06896-e27c-4583-95ac-91ce2279345d
status: test
description: Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
references:
    - https://rules.sonarsource.com/java/RSPEC-2755
    - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: jvm
    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
    keywords:
        - 'SAXParseException'
        - 'DOMException'
    condition: keywords
falsepositives:
    - If the application expects to work with XML there may be parsing issues that don't necessarily mean XXE.
level: high