"Scanner State 24 not Recognized" while trying XXE
출처1 : https://github.com/mozilla/rhino/issues/479
A potential XXE vulnerability found on rhino · Issue #479 · mozilla/rhino
Howdy, Just found a potential XXE vulnerability on rhino as show below, it seems function toXml didn't add any protection from XXE vulnerability when parsing XML document. https://github.com/mo...
github.com
What is org.xml.sax.SAXException: Scanner State 24 not Recognized?
I am getting the following Exception but unable to find any documentation specific to this exception: org.xml.sax.SAXException: Scanner State 24 not Recognized at com.sun.org.apache.xerces.
stackoverflow.com
| <error> <![CDATA[org.jdom.input.JDOMParseException: Error in building: Scanner State 24 not Recognized : Scanner State 24 not Recognized ]]> </error> |
XXE 공격을 시도 중에 "Scanner State 24 not Recognized" 이런 메시지를 서버에서 응답하였다.
서버에서 xml 파싱할 때 XXE 공격에 대한 방어책으로 "!DOCTYPE"을 필터링하는 듯.
상세한 필터링 코드는 공개되지 않은 듯 하다(참조2).
결론. XXE 공격 시도하다가 "Scanner State 24 not Recognized" 메시지를 발견하면 후퇴하라