Unrestricted Recursive Entity References in DTDs ('XML Bomb') |
Weakness ID: 776 (Weakness Variant) | Status: Draft |
Description Summary
Scope | Effect |
---|---|
Availability | If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources. |
Example 1
The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.
Reference | Description |
---|---|
CVE-2009-1955 | XML bomb in web server module |
CVE-2003-1564 | Parsing library allows XML bomb |
Phase: Operation If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities. |
Phase: Implementation Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Base | 409 | Improper Handling of Highly Compressed Data (Data Amplification) | Development Concepts (primary)699 Research Concepts (primary)1000 |
Amit Klein. "Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD". 2002-12-16. <http://www.securityfocus.com/archive/1/303509>. |
Rami Jaamour. "XML security: Preventing XML bombs". 2006-02-22. <http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1168442,00.html?asrc=SS_CLA_302%20%20558&psrc=CLT_92#>. |
Didier Stevens. "Dismantling an XML-Bomb". 2008-09-23. <http://blog.didierstevens.com/2008/09/23/dismantling-an-xml-bomb/>. |
Robert Auger. "XML Entity Expansion". <http://projects.webappsec.org/XML-Entity-Expansion>. |
Elliotte Rusty Harold. "Tip: Configure SAX parsers for secure processing". 2005-05-27. <http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html>. |