CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (3.0)  
ID

CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Weakness ID: 776
Abstraction: Variant
Structure: Simple
Status: Draft
Presentation Filter:
+ Description
The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
+ Extended Description
If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.
+ Relationships

The table(s) below shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

+ Relevant to the view "Research Concepts" (CWE-1000)
+ Relevant to the view "Development Concepts" (CWE-699)
+ Modes Of Introduction

The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the software life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

PhaseNote
Implementation
Operation
+ Applicable Platforms
The listings below show possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.

Languages

XML: (Undetermined Prevalence)

Paradigms

Web Based: (Undetermined Prevalence)

+ Common Consequences

The table below specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Availability

Technical Impact: DoS: Resource Consumption (Other)

If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources.
+ Alternate Terms
XEE:XEE is the acronym commonly used for XML Entity Expansion.
Billion Laughs Attack
XML Bomb:While the "XML Bomb" term was used in the early years of knowledge of this issue, the XEE term seems to be more commonly used.
+ Likelihood Of Exploit
Medium
+ Demonstrative Examples

Example 1

The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.

(attack)
Example Language: XML 
<?xml version="1.0"?>
<!DOCTYPE MaliciousDTD [
<!ENTITY ZERO "A">
<!ENTITY ONE "&ZERO;&ZERO;">
<!ENTITY TWO "&ONE;&ONE;">
...
<!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">
]>
<data>&THIRTYTWO;</data>
+ Observed Examples
ReferenceDescription
XEE in XML-parsing library.
XML bomb / XEE in enterprise communication product.
"Billion laughs" attack in XMPP server daemon.
XML bomb in web server module
Parsing library allows XML bomb
+ Potential Mitigations

Phase: Operation

If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.

Phase: Implementation

Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
WASC44XML Entity Expansion
+ References
[REF-676] Amit Klein. "Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD". 2002-12-16. <http://www.securityfocus.com/archive/1/303509>.
[REF-678] Didier Stevens. "Dismantling an XML-Bomb". 2008-09-23. <http://blog.didierstevens.com/2008/09/23/dismantling-an-xml-bomb/>.
[REF-679] Robert Auger. "XML Entity Expansion". <http://projects.webappsec.org/XML-Entity-Expansion>.
[REF-680] Elliotte Rusty Harold. "Tip: Configure SAX parsers for secure processing". 2005-05-27. <http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html>.
[REF-500] Bryan Sullivan. "XML Denial of Service Attacks and Defenses". 2009-09. <http://msdn.microsoft.com/en-us/magazine/ee335713.aspx>.
[REF-682] Blaise Doughan. "Preventing Entity Expansion Attacks in JAXB". 2011-03-11. <http://blog.bdoughan.com/2011/03/preventing-entity-expansion-attacks-in.html>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2009-06-30CWE Content TeamMITRE
Modifications
Modification DateModifierOrganizationSource
2010-02-16CWE Content TeamMITRE
updated Taxonomy_Mappings
2010-12-13CWE Content TeamMITRE
updated Relationships
2011-06-01CWE Content TeamMITRE
updated Common_Consequences
2012-05-11CWE Content TeamMITRE
updated Demonstrative_Examples
2013-02-21CWE Content TeamMITRE
updated Alternate_Terms, Applicable_Platforms, Description, Name, Observed_Examples, References, Relationships
2017-11-08CWE Content TeamMITRE
updated Likelihood_of_Exploit, References
Previous Entry Names
Change DatePrevious Entry Name
2013-02-21Unrestricted Recursive Entity References in DTDs ('XML Bomb')

More information is available — Please select a different filter.
Page Last Updated: November 14, 2017