logo

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Draft Base
Structure: Simple
Description

This vulnerability occurs when an XML parser allows Document Type Definitions (DTDs) to contain recursively defined entities without proper limits, enabling malicious data structures.

Extended Description

Attackers can craft a malicious DTD that defines XML entities in a recursive loop—where one entity references another, which then references back to the first, creating a chain. When the parser expands these entities, what looks like a small XML file in memory explodes into a massive data structure, consuming excessive CPU and memory. This results in a classic Denial-of-Service (DoS) attack, often called 'XML Entity Expansion' or 'Billion Laughs.' To prevent it, developers should disable DTD processing entirely in their XML parsers when possible, or explicitly configure them to restrict entity expansion depth and total memory usage during parsing.
Common Consequences 1
Scope: Availability

Impact: DoS: Resource Consumption (Other)

If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 2
Phase: Operation
If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.
Phase: Implementation
Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.
Demonstrative Examples 1

ID : DX-53

The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.

Code Example:

Attack
XML
xml
Observed Examples 5
CVE-2008-3281XEE in XML-parsing library.
CVE-2011-3288XML bomb / XEE in enterprise communication product.
CVE-2011-1755"Billion laughs" attack in XMPP server daemon.
CVE-2009-1955XML bomb in web server module
CVE-2003-1564Parsing library allows XML bomb
References 7
Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD
Amit Klein
16-12-2002
https://seclists.org/fulldisclosure/2002/Dec/229(2023-04-07)
ID: REF-676
XML security: Preventing XML bombs
Rami Jaamour
22-02-2006
http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1168442,00.html?asrc=SS_CLA_302%20%20558&psrc=CLT_92#
ID: REF-677
Dismantling an XML-Bomb
Didier Stevens
23-09-2008
https://blog.didierstevens.com/2008/09/23/dismantling-an-xml-bomb/(2023-04-07)
ID: REF-678
XML Entity Expansion
Robert Auger
http://projects.webappsec.org/w/page/13247002/XML%20Entity%20Expansion(2023-04-07)
ID: REF-679
Tip: Configure SAX parsers for secure processing
Elliotte Rusty Harold
27-05-2005
https://web.archive.org/web/20101005080451/http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html(2023-04-07)
ID: REF-680
XML Denial of Service Attacks and Defenses
Bryan Sullivan
09-2009
https://learn.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-of-service-attacks-and-defenses(2023-04-07)
ID: REF-500
Preventing Entity Expansion Attacks in JAXB
Blaise Doughan
11-03-2011
http://blog.bdoughan.com/2011/03/preventing-entity-expansion-attacks-in.html(2023-04-07)
ID: REF-682
Likelihood of Exploit

Medium

Applicable Platforms
Languages:
XML : Undetermined
Modes of Introduction
Implementation
Operation
Related Attack Patterns
Alternate Terms

XEE

XEE is the acronym commonly used for XML Entity Expansion.

Billion Laughs Attack

XML Bomb

While the "XML Bomb" term was used in the early years of knowledge of this issue, the XEE term seems to be more commonly used.
Related Weaknesses
ChildOf: Uncontrolled Recursion (CWE-674)
ChildOf: Uncontrolled Recursion (CWE-674)
ChildOf: Asymmetric Resource Consumption (Amplification) (CWE-405)
Taxonomy Mapping
  • WASC