Unrestricted Recursive Entity References in DTDs ('XML Bomb')
Weakness ID: 776 (Weakness Variant)Status: Draft
+ Description

Description Summary

The software requires the use of XML documents and allows their structure to be defined with a Document Type Definition (DTD). The software allows the DTD to recursively define entities which can lead to explosive growth of data when parsed.
+ Alternate Terms
Billion Laughs Attack
+ Time of Introduction
  • Implementation
  • Operation
+ Applicable Platforms

Languages

XML

+ Common Consequences
ScopeEffect
Availability

If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources.

+ Likelihood of Exploit

Low to Medium

+ Demonstrative Examples

Example 1

The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.

(Attack)
Example Language: XML 
<?xml version="1.0"?>
<!DOCTYPE MaliciousDTD [
<!ENTITY ZERO "A">
<!ENTITY ONE "&ZERO;&ZERO;">
<!ENTITY TWO "&ONE;&ONE;">
...
<!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">
]>
<data>&THIRTYTWO;</data>
+ Observed Examples
ReferenceDescription
CVE-2009-1955XML bomb in web server module
CVE-2003-1564Parsing library allows XML bomb
+ Potential Mitigations

Phase: Operation

If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.

Phase: Implementation

Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base409Improper Handling of Highly Compressed Data (Data Amplification)
Development Concepts (primary)699
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
WASC44XML Entity Expansion
+ References
Amit Klein. "Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD". 2002-12-16. <http://www.securityfocus.com/archive/1/303509>.
Rami Jaamour. "XML security: Preventing XML bombs". 2006-02-22. <http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1168442,00.html?asrc=SS_CLA_302%20%20558&psrc=CLT_92#>.
Didier Stevens. "Dismantling an XML-Bomb". 2008-09-23. <http://blog.didierstevens.com/2008/09/23/dismantling-an-xml-bomb/>.
Robert Auger. "XML Entity Expansion". <http://projects.webappsec.org/XML-Entity-Expansion>.
Elliotte Rusty Harold. "Tip: Configure SAX parsers for secure processing". 2005-05-27. <http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2009-06-30Internal CWE Team