• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Stop wasting time looking for files and revisions. Connect your Gmail, DriveDropbox, and Slack accounts and in less than 2 minutes, Dokkio will automatically organize all your file attachments. Learn more and claim your free account.


XML Entity Expansion

Page history last edited by Robert Auger 10 years, 10 months ago

Project: WASC Threat Classification

Threat Type: Attack

Reference ID: WASC-44



XML Entity Expansion

The XML Entity expansion attack, exploits a capability in XML DTDs that allows the creation of custom macros, called entities, that can be used throughout a document. By recursively defining a set of custom entities at the top of a document, an attacker can overwhelm parsers that attempt to completely resolve the entities by forcing them to iterate almost indefinitely on these recursive definitions.

The malicious XML message is used to force recursive entity expansion (or other repeated processing) that completely uses up available server resources. The most common example of this type of attack is the "many laughs" attack (some times called the 'billion laughs' attack).


<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY ha "Ha !">
<!ENTITY ha2 "&ha; &ha;">
<!ENTITY ha3 "&ha2; &ha2;">
<!ENTITY ha4 "&ha3; &ha3;">
<!ENTITY ha5 "&ha4; &ha4;">
<!ENTITY ha128 "&ha127; &ha127;">


In the above example, the CPU is monopolized while the entities are being expanded, and each entity takes up X amount of memory - eventually consuming all available resources and effectively preventing legitimate traffic from being processed.


One of the first widespread XML DoS attacks was an entity expansion attack, where an unprivileged user could use completely correct entity declarations in an XML message to cause a DoS condition on unprotected/unhardened XML 1.0 standard-compliant parsers. When a vulnerable parser encounters such a message, recursive entity declarations cause the parser to shut down with an out-of-memory error or to use an excessive amount of processor cycles.

Another example of Entity Expansion is Quadratic Blowup attacks. Here the Entity feature is used by the attacker who defines a single huge entity (say, 100KB), and references it many times (say, 30000 times), inside an element that is used by the application (e.g. inside a SOAP string parameter).


For example:

<?xml version="1.0"?>
<!DOCTYPE foobar [<!ENTITY x "AAAAA… [100KB of them] … AAAA">]>
<hi>&x;&x;….[30000 of them] … &x;&x;</hi>


Amit Klein: Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD

[1] http://www.securityfocus.com/archive/1/303509


Threat Protection in a Service Oriented World, Andre Yee, NFR Security

[2] http://www.unatekconference.com/images/pdfs/presentations/Yee.pdf


Attacking and Defending Web Services By Pete Lindstrom, Research Director Spire Security, LLC

[3] http://www.forumsys.com/resources/resources/whitepapers/Attacking_and_Defending_WS.pdf


Elliotte Rusty Harold "Configure SAX parsers for secure processing"

[4] http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html


The SOA/XML Threat Model and New XML/SOA/Web 2.0 Attacks & Threats (Defcon 15), Steve Orrin, Dir of Security Solutions, SSG-SPI Intel Corp.

[5] http://www.safesoa.org/data/dc-15-Orrin-v2.pdf

Comments (0)

You don't have permission to comment on this page.