Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Weakness ID: 776 (Weakness Variant) Status: Draft
The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.
XEE is the acronym commonly used for XML Entity Expansion.
Billion Laughs Attack
While the "XML Bomb" term was used in the early years of knowledge of
this issue, the XEE term seems to be more commonly used.
Time of Introduction
Technical Impact: DoS: resource consumption
If parsed, recursive entity references allow the attacker to expand
data exponentially, quickly consuming all system resources.
Likelihood of Exploit
The DTD and the very brief XML below illustrate what is meant by an
XML bomb. The ZERO entity contains one character, the letter A. The choice
of entity name ZERO is being used to indicate length equivalent to that
exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers
to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or
2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32
characters in length, or 4 GB, probably consuming far more data than
<!DOCTYPE MaliciousDTD [
<!ENTITY ZERO "A">
<!ENTITY ONE "&ZERO;&ZERO;">
<!ENTITY TWO "&ONE;&ONE;">
If possible, prohibit the use of DTDs or use an XML parser that limits
the expansion of recursive DTD entities.
Before parsing XML files with associated DTDs, scan for recursive
entity declarations and do not continue parsing potentially explosive
Mapped Taxonomy Name Node ID Fit Mapped Node Name
WASC 44 XML Entity Expansion
Submissions Submission Date Submitter Organization Source 2009-06-30 Internal CWE Team Modifications Modification Date Modifier Organization Source 2010-02-16 MITRE Internal updated Taxonomy_Mappings 2010-12-13 MITRE Internal updated Relationships 2011-06-01 MITRE Internal updated Common_Consequences 2012-05-11 MITRE Internal updated Demonstrative_Examples 2013-02-21 MITRE Internal updated Alternate_Terms, Applicable_Platforms,
Description, Name, Observed_Examples, References,
Relationships Previous Entry Names Change Date Previous Entry
Name 2013-02-21 Unrestricted Recursive Entity
References in DTDs ('XML Bomb')