CWE
CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.1)  

CWE-776: Unrestricted Recursive Entity References in DTDs ('XML Bomb')

 
Unrestricted Recursive Entity References in DTDs ('XML Bomb')
Weakness ID: 776 (Weakness Variant)Status: Draft
+ Description

Description Summary

The software requires the use of XML documents and allows their structure to be defined with a Document Type Definition (DTD). The software allows the DTD to recursively define entities which can lead to explosive growth of data when parsed.
+ Alternate Terms
Billion Laughs Attack
+ Time of Introduction
  • Implementation
  • Operation
+ Applicable Platforms

Languages

XML

+ Common Consequences
ScopeEffect
Availability

Technical Impact: DoS: resource consumption (other)

If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources.

+ Likelihood of Exploit

Low to Medium

+ Demonstrative Examples

Example 1

The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.

(Attack)
Example Language: XML 
<?xml version="1.0"?>
<!DOCTYPE MaliciousDTD [
<!ENTITY ZERO "A">
<!ENTITY ONE "&ZERO;&ZERO;">
<!ENTITY TWO "&ONE;&ONE;">
...
<!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">
]>
<data>&THIRTYTWO;</data>
+ Observed Examples
ReferenceDescription
CVE-2009-1955XML bomb in web server module
CVE-2003-1564Parsing library allows XML bomb
+ Potential Mitigations

Phase: Operation

If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.

Phase: Implementation

Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base409Improper Handling of Highly Compressed Data (Data Amplification)
Development Concepts (primary)699
Research Concepts (primary)1000
CanFollowWeakness BaseWeakness Base827Improper Control of Document Type Definition
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
WASC44XML Entity Expansion
+ References
Amit Klein. "Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD". 2002-12-16. <http://www.securityfocus.com/archive/1/303509>.
Didier Stevens. "Dismantling an XML-Bomb". 2008-09-23. <http://blog.didierstevens.com/2008/09/23/dismantling-an-xml-bomb/>.
Robert Auger. "XML Entity Expansion". <http://projects.webappsec.org/XML-Entity-Expansion>.
Elliotte Rusty Harold. "Tip: Configure SAX parsers for secure processing". 2005-05-27. <http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2009-06-30Internal CWE Team
Modifications
Modification DateModifierOrganizationSource
2010-02-16CWE Content TeamMITREInternal
updated Taxonomy_Mappings
2010-12-13CWE Content TeamMITREInternal
updated Relationships
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
Back to top
Page Last Updated: September 12, 2011
 

CWE is a Software Assurance strategic initiative co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2012, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us