Availability / XML Entity Expansion

Description

XML Entity Expansion (CWE-611) is a form of attack that involves an attacker sending malicious XML input to an XML parser, which then causes the parser to consume an excessive amount of resources (CPU, memory, etc.). This can result in a denial of service (DoS) attack, which can disrupt the availability of the application or website. It can also be used to inject malicious code into the application or website. According to the OWASP Testing Guide, XML Entity Expansion is often used in combination with XML External Entity (XXE) attacks.

Risk

XML Entity Expansion can have serious consequences for the availability of a web application or website. By consuming excessive resources, the attacker is able to deny service to legitimate users, resulting in disruption of the application or website. Furthermore, it can be used to inject malicious code into the application or website, which can lead to further disruption and data loss.

Solution

XML Entity Expansion can be mitigated by limiting the size and number of XML entities, or by disabling external entities. Additionally, XML parsers should be configured to reject documents with excessive entities.