Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Draft Base
Structure: Simple
Description
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.
Common Consequences 1
Scope: Availability
Impact: DoS: Resource Consumption (Other)
If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Potential Mitigations 2
Phase: Operation
If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.
Phase: Implementation
Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.
Demonstrative Examples 1
ID : DX-53
The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.Code Example:
Attack
XML
xmlObserved Examples 5
CVE-2008-3281XEE in XML-parsing library.
CVE-2011-3288XML bomb / XEE in enterprise communication product.
CVE-2011-1755"Billion laughs" attack in XMPP server daemon.
CVE-2009-1955XML bomb in web server module
CVE-2003-1564Parsing library allows XML bomb
References 7
Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD
Amit Klein
16-12-2002
https://seclists.org/fulldisclosure/2002/Dec/229(2023-04-07)
ID: REF-676
XML security: Preventing XML bombs
Rami Jaamour
22-02-2006
ID: REF-677
Dismantling an XML-Bomb
Didier Stevens
23-09-2008
ID: REF-678
XML Entity Expansion
Robert Auger
ID: REF-679
Tip: Configure SAX parsers for secure processing
Elliotte Rusty Harold
27-05-2005
https://web.archive.org/web/20101005080451/http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html(2023-04-07)
ID: REF-680
XML Denial of Service Attacks and Defenses
Bryan Sullivan
09-2009
ID: REF-500
Preventing Entity Expansion Attacks in JAXB
Blaise Doughan
11-03-2011
ID: REF-682
Likelihood of Exploit
Medium
Applicable Platforms
Languages:
XML : Undetermined
Modes of Introduction
Implementation
Operation
Related Attack Patterns
Alternate Terms
XEE
XEE is the acronym commonly used for XML Entity Expansion.Billion Laughs Attack
XML Bomb
While the "XML Bomb" term was used in the early years of knowledge of this issue, the XEE term seems to be more commonly used.Related Weaknesses
Taxonomy Mapping
- WASC