Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-776 Base Rascunho
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
This vulnerability occurs when an XML parser allows Document Type Definitions (DTDs) to contain recursively defined entities without proper limits, enabling malicious data structures.
Definição
What is CWE-776?
This vulnerability occurs when an XML parser allows Document Type Definitions (DTDs) to contain recursively defined entities without proper limits, enabling malicious data structures.
Attackers can craft a malicious DTD that defines XML entities in a recursive loop—where one entity references another, which then references back to the first, creating a chain. When the parser expands these entities, what looks like a small XML file in memory explodes into a massive data structure, consuming excessive CPU and memory.
This results in a classic Denial-of-Service (DoS) attack, often called 'XML Entity Expansion' or 'Billion Laughs.' To prevent it, developers should disable DTD processing entirely in their XML parsers when possible, or explicitly configure them to restrict entity expansion depth and total memory usage during parsing.
Impacto no mundo real
Real-world CVEs caused by CWE-776
-
XEE in XML-parsing library.
-
XML bomb / XEE in enterprise communication product.
-
"Billion laughs" attack in XMPP server daemon.
-
XML bomb in web server module
-
Parsing library allows XML bomb
Como os atacantes a exploram
Trajeto do atacante passo a passo
- 1
Identificar um caminho de código que trata input não confiável sem validação.
- 2
Criar um payload que explora o comportamento inseguro — injeção, traversal, overflow ou abuso de lógica.
- 3
Entregar o payload através de um pedido normal e observar a reação da aplicação.
- 4
Iterar até que a resposta exponha dados, execute código do atacante ou escale privilégios.
Exemplo de código vulnerável
Vulnerable XML
The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.
<?xml version="1.0"?>
<!DOCTYPE MaliciousDTD [
<!ENTITY ZERO "A">
<!ENTITY ONE "&ZERO;&ZERO;">
<!ENTITY TWO "&ONE;&ONE;">
...
<!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">
]>
<data>&THIRTYTWO;</data> Payload do atacante
The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.
<?xml version="1.0"?>
<!DOCTYPE MaliciousDTD [
<!ENTITY ZERO "A">
<!ENTITY ONE "&ZERO;&ZERO;">
<!ENTITY TWO "&ONE;&ONE;">
...
<!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">
]>
<data>&THIRTYTWO;</data> Exemplo de código seguro
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção
How to prevent CWE-776
- Operation If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.
- Implementation Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.
Sinais de deteção
How to detect CWE-776
O Plexicus deteta automaticamente o CWE-776 e abre um PR de correção em menos de 60 segundos.
O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.
Perguntas frequentes O que é o CWE-776?
Qual a gravidade do CWE-776?
Que linguagens ou plataformas são afetadas pelo CWE-776?
Como posso prevenir o CWE-776?
Como é que o Plexicus deteta e corrige o CWE-776?
Onde posso saber mais sobre o CWE-776?
Frequently asked questions
O que é o CWE-776?
This vulnerability occurs when an XML parser allows Document Type Definitions (DTDs) to contain recursively defined entities without proper limits, enabling malicious data structures.
Qual a gravidade do CWE-776?
A MITRE classifica a probabilidade de exploração como Média — a exploração é realista mas normalmente requer condições específicas.
Que linguagens ou plataformas são afetadas pelo CWE-776?
MITRE lists the following affected platforms: XML.
Como posso prevenir o CWE-776?
If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities. Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.
Como é que o Plexicus deteta e corrige o CWE-776?
O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-776 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.
Onde posso saber mais sobre o CWE-776?
A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/776.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.
Fraquezas relacionadas
Weaknesses related to CWE-776
Recursos
Further reading
- MITRE — CWE-776 oficial https://cwe.mitre.org/data/definitions/776.html
- Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD https://seclists.org/fulldisclosure/2002/Dec/229
- XML security: Preventing XML bombs http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1168442,00.html?asrc=SS_CLA_302%20%20558&psrc=CLT_92#
- Dismantling an XML-Bomb https://blog.didierstevens.com/2008/09/23/dismantling-an-xml-bomb/
- XML Entity Expansion http://projects.webappsec.org/w/page/13247002/XML%20Entity%20Expansion
- Tip: Configure SAX parsers for secure processing https://web.archive.org/web/20101005080451/http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html
- XML Denial of Service Attacks and Defenses https://learn.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-of-service-attacks-and-defenses
Pronto quando você estiver
Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.
O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.