{"@attributes":{"version":"2.0"},"channel":{"title":"Documentation \u2013 Security Notes","link":"https:\/\/docs.aspose.com\/words\/java\/security\/","description":"Recent content in Security Notes on Documentation","generator":"Hugo -- gohugo.io","language":"en","item":{"title":"Java: Web App Security When Loading Resources","link":"https:\/\/docs.aspose.com\/words\/java\/web-applications-security-when-loading-external-resources\/","pubDate":"Mon, 01 Jan 0001 00:00:00 +0000","guid":"https:\/\/docs.aspose.com\/words\/java\/web-applications-security-when-loading-external-resources\/","description":"\n        \n        \n        <p>By default, Aspose.Words for Java can load remote resources such as images, CSS styles, or external HTML documents when importing documents or inserting images using the DocumentBuilder. This behavior allows you to process your documents in full detail but can be a reason of some security risks if the library is a part of a web application.<\/p>\n<p>In this article, we take a look at common security issues that can arise when loading external resources and provide recommendations on how to avoid such problems.<\/p>\n\n\n<div class=\"alert alert-primary\" role=\"alert\">\n\nAspose.Words does not function as antivirus software. Therefore, it does not provide information about the presence of malicious components in the document. To ensure the security of your data, check documents obtained from an external source yourself. In turn, Aspose.Words provides recommendations on how to deal with problems that can arise when loading external resources.\n<\/div>\n\n<h2 id=\"security-issues\">Security Issues<\/h2>\n<p>There are a number of typical security problems when loading external resources.<\/p>\n<h3 id=\"credential-disclosure-via-linked-images\">Credential Disclosure Via Linked Images<\/h3>\n<p>On Windows-based hosts, documents containing references to resources that use UNC paths such as <em>\u2018\\example.com\\a\\b<\/em>\u2019 will be processed by default. In a domain environment, this will cause the host to send its domain credentials in a hashed format to the specified server.<\/p>\n<p>If an attacker is able to convince a user or server to process a document with such a resource link pointing to a host they control, the attacker will receive the user or service account credentials in NTLM hash format. Such data then can be reused in a classic pass-the-hash attack, allowing the attacker to gain access to any resource as the victim user or service account.<\/p>\n<p>If the account in question uses a weak or guessable password, the attacker could additionally perform a password cracking attack to recover the account password for further malicious use.<\/p>\n<h3 id=\"local-image-disclosure-via-linked-images\">Local Image Disclosure Via Linked Images<\/h3>\n<p>Similar to the previous case, processing a document with a reference to a local image file will result in that file being included in the final document. This can lead to sensitive information disclosure.<\/p>\n<h3 id=\"denial-of-service\">Denial of Service<\/h3>\n<p>An attacker could upload a document that either referenced or included extremely large images \u2013 the so-called &ldquo;decompression bombs&rdquo;. When processing these images, the library will consume huge amounts of memory and CPU time.<\/p>\n<h3 id=\"server-side-request-forgery-via-linked-content\">Server-Side Request Forgery Via Linked Content<\/h3>\n<p>An attacker could create a series of documents containing embedded links to common combinations of internal IP address and port, then submit them to a web service using the Aspose.Words library to process the documents.<\/p>\n<p>Based on the length of time the service uses to process the document, the attacker could determine if a given IP\/Port combination is filtered by a firewall:<\/p>\n<ul>\n<li>longer processing time indicates that the TCP SYN packet sent by the server was dropped by a firewall<\/li>\n<li>quick processing time indicates a successful connection has been made<\/li>\n<\/ul>\n<h2 id=\"solutions-of-security-issues\">Solutions of Security Issues<\/h2>\n<p>To solve the problems described above and to improve the security of web applications, you can control or disable loading of external resources using <a href=\"https:\/\/reference.aspose.com\/words\/java\/com.aspose.words\/iresourceloadingcallback\/\">IResourceLoadingCallback<\/a>.<\/p>\n<p>The following code example shows how to disable external images loading:<\/p>\n<p><strong>Java<\/strong>\n<div class=\"highlight\"><pre class=\"chroma\"><code class=\"language-csharp\" data-lang=\"csharp\"><span class=\"k\">public<\/span> <span class=\"k\">void<\/span> <span class=\"n\">loadDocument<\/span><span class=\"p\">(<\/span><span class=\"n\">String<\/span> <span class=\"n\">documentFilename<\/span><span class=\"p\">)<\/span> <span class=\"n\">throws<\/span> <span class=\"n\">Exception<\/span>\n<span class=\"p\">{<\/span>\n\t<span class=\"n\">LoadOptions<\/span> <span class=\"n\">disableExternalImagesOptions<\/span> <span class=\"p\">=<\/span> <span class=\"k\">new<\/span> <span class=\"n\">LoadOptions<\/span><span class=\"p\">();<\/span>\n\t<span class=\"n\">disableExternalImagesOptions<\/span><span class=\"p\">.<\/span><span class=\"n\">setResourceLoadingCallback<\/span><span class=\"p\">(<\/span><span class=\"k\">new<\/span> <span class=\"n\">DisableExternalImagesHandler<\/span><span class=\"p\">());<\/span>\n\n\t<span class=\"n\">Document<\/span> <span class=\"n\">doc<\/span> <span class=\"p\">=<\/span> <span class=\"k\">new<\/span> <span class=\"n\">Document<\/span><span class=\"p\">(<\/span><span class=\"n\">documentFilename<\/span><span class=\"p\">,<\/span> <span class=\"n\">disableExternalImagesOptions<\/span><span class=\"p\">);<\/span>\n<span class=\"p\">}<\/span>\n\n<span class=\"k\">public<\/span> <span class=\"k\">static<\/span> <span class=\"k\">class<\/span> <span class=\"nc\">DisableExternalImagesHandler<\/span> <span class=\"n\">implements<\/span> <span class=\"n\">IResourceLoadingCallback<\/span>\n<span class=\"p\">{<\/span>\n\t<span class=\"k\">public<\/span> <span class=\"cm\">\/*ResourceLoadingAction*\/<\/span><span class=\"kt\">int<\/span> <span class=\"n\">resourceLoading<\/span><span class=\"p\">(<\/span><span class=\"n\">ResourceLoadingArgs<\/span> <span class=\"n\">args<\/span><span class=\"p\">)<\/span>\n\t<span class=\"p\">{<\/span>\n\t\t<span class=\"c1\">\/\/ Skip external images loading.\n<\/span><span class=\"c1\"><\/span>\t\t<span class=\"k\">return<\/span> <span class=\"p\">(<\/span><span class=\"n\">args<\/span><span class=\"p\">.<\/span><span class=\"n\">getResourceType<\/span><span class=\"p\">()<\/span> <span class=\"p\">==<\/span> <span class=\"n\">ResourceType<\/span><span class=\"p\">.<\/span><span class=\"n\">IMAGE<\/span><span class=\"p\">)<\/span>\n\t\t\t<span class=\"p\">?<\/span> <span class=\"n\">ResourceLoadingAction<\/span><span class=\"p\">.<\/span><span class=\"n\">SKIP<\/span>\n\t\t\t<span class=\"p\">:<\/span> <span class=\"n\">ResourceLoadingAction<\/span><span class=\"p\">.<\/span><span class=\"n\">DEFAULT<\/span><span class=\"p\">;<\/span>\n\t<span class=\"p\">}<\/span>\n<span class=\"p\">}<\/span>\n<\/code><\/pre><\/div><\/p>\n<p>The following code example shows how to disable remote resources:<\/p>\n<p><strong>Java<\/strong>\n<div class=\"highlight\"><pre class=\"chroma\"><code class=\"language-csharp\" data-lang=\"csharp\"><span class=\"k\">public<\/span> <span class=\"k\">void<\/span> <span class=\"n\">loadDocument2<\/span><span class=\"p\">(<\/span><span class=\"n\">String<\/span> <span class=\"n\">documentFilename<\/span><span class=\"p\">)<\/span> <span class=\"n\">throws<\/span> <span class=\"n\">Exception<\/span>\n<span class=\"p\">{<\/span>\n\t<span class=\"n\">LoadOptions<\/span> <span class=\"n\">disableRemoteResourcesOptions<\/span> <span class=\"p\">=<\/span> <span class=\"k\">new<\/span> <span class=\"n\">LoadOptions<\/span><span class=\"p\">();<\/span>\n\t<span class=\"n\">disableRemoteResourcesOptions<\/span><span class=\"p\">.<\/span><span class=\"n\">setResourceLoadingCallback<\/span><span class=\"p\">(<\/span><span class=\"k\">new<\/span> <span class=\"n\">DisableRemoteResourcesHandler<\/span><span class=\"p\">());<\/span>\n\t\n\t<span class=\"n\">Document<\/span> <span class=\"n\">doc<\/span> <span class=\"p\">=<\/span> <span class=\"k\">new<\/span> <span class=\"n\">Document<\/span><span class=\"p\">(<\/span><span class=\"n\">documentFilename<\/span><span class=\"p\">,<\/span> <span class=\"n\">disableRemoteResourcesOptions<\/span><span class=\"p\">);<\/span>\n<span class=\"p\">}<\/span>\t\n\n<span class=\"k\">private<\/span> <span class=\"k\">static<\/span> <span class=\"k\">class<\/span> <span class=\"nc\">DisableRemoteResourcesHandler<\/span> <span class=\"n\">implements<\/span> <span class=\"n\">IResourceLoadingCallback<\/span>\n<span class=\"p\">{<\/span>\n\t<span class=\"k\">public<\/span> <span class=\"cm\">\/*ResourceLoadingAction*\/<\/span><span class=\"kt\">int<\/span> <span class=\"n\">resourceLoading<\/span><span class=\"p\">(<\/span><span class=\"n\">ResourceLoadingArgs<\/span> <span class=\"n\">args<\/span><span class=\"p\">)<\/span> <span class=\"n\">throws<\/span> <span class=\"n\">Exception<\/span>\n\t<span class=\"p\">{<\/span>\n\t\t<span class=\"k\">return<\/span> <span class=\"n\">isLocalResource<\/span><span class=\"p\">(<\/span><span class=\"n\">args<\/span><span class=\"p\">.<\/span><span class=\"n\">getOriginalUri<\/span><span class=\"p\">())<\/span>\n\t\t\t<span class=\"p\">?<\/span> <span class=\"n\">ResourceLoadingAction<\/span><span class=\"p\">.<\/span><span class=\"n\">DEFAULT<\/span>\n\t\t\t<span class=\"p\">:<\/span> <span class=\"n\">ResourceLoadingAction<\/span><span class=\"p\">.<\/span><span class=\"n\">SKIP<\/span><span class=\"p\">;<\/span>\n\t<span class=\"p\">}<\/span>\n\n\t<span class=\"c1\">\/\/ Simplified code.\n<\/span><span class=\"c1\"><\/span>\t<span class=\"k\">private<\/span> <span class=\"k\">static<\/span> <span class=\"n\">boolean<\/span> <span class=\"n\">isLocalResource<\/span><span class=\"p\">(<\/span><span class=\"n\">String<\/span> <span class=\"n\">fileName<\/span><span class=\"p\">)<\/span> <span class=\"n\">throws<\/span> <span class=\"n\">Exception<\/span>\n\t<span class=\"p\">{<\/span>\n\t\t<span class=\"n\">String<\/span> <span class=\"n\">protocol<\/span> <span class=\"p\">=<\/span> <span class=\"k\">null<\/span><span class=\"p\">;<\/span>\n\t\n\t\t<span class=\"n\">URI<\/span> <span class=\"n\">uri<\/span> <span class=\"p\">=<\/span> <span class=\"k\">new<\/span> <span class=\"n\">URI<\/span><span class=\"p\">(<\/span><span class=\"n\">fileName<\/span><span class=\"p\">);<\/span>\n\t\t<span class=\"k\">if<\/span> <span class=\"p\">(<\/span><span class=\"n\">uri<\/span><span class=\"p\">.<\/span><span class=\"n\">isAbsolute<\/span><span class=\"p\">())<\/span>\n\t\t<span class=\"p\">{<\/span>\n\t\t\t<span class=\"n\">protocol<\/span> <span class=\"p\">=<\/span> <span class=\"n\">uri<\/span><span class=\"p\">.<\/span><span class=\"n\">getScheme<\/span><span class=\"p\">();<\/span>\n\t\t<span class=\"p\">}<\/span>\n\t\t<span class=\"k\">else<\/span>\n\t\t<span class=\"p\">{<\/span>\n\t\t\t<span class=\"n\">URL<\/span> <span class=\"n\">url<\/span> <span class=\"p\">=<\/span> <span class=\"k\">new<\/span> <span class=\"n\">URL<\/span><span class=\"p\">(<\/span><span class=\"n\">fileName<\/span><span class=\"p\">);<\/span>\n\t\t\t<span class=\"n\">protocol<\/span> <span class=\"p\">=<\/span> <span class=\"n\">url<\/span><span class=\"p\">.<\/span><span class=\"n\">getProtocol<\/span><span class=\"p\">();<\/span>\n\t\t<span class=\"p\">}<\/span>\n\t\n\t\t<span class=\"k\">return<\/span> <span class=\"s\">&#34;file&#34;<\/span><span class=\"p\">.<\/span><span class=\"n\">equalsIgnoreCase<\/span><span class=\"p\">(<\/span><span class=\"n\">protocol<\/span><span class=\"p\">);<\/span>\n\t<span class=\"p\">}<\/span>\n<span class=\"p\">}<\/span>\n<\/code><\/pre><\/div><\/p>\n\n\n<div class=\"alert alert-primary\" role=\"alert\">\n\nThis article is based on the consulting firm Independent Security Evaluators <a href=\"ise-aspose-report.pdf\">report<\/a>.\n<\/div>\n\n\n      "}}}