Unrestricted Recursive Entity References in DTDs ('XML Bomb')ID: 776 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Variant |
Description
The software requires the use of XML documents and allows their
structure to be defined with a Document Type Definition (DTD). The software
allows the DTD to recursively define entities which can lead to explosive growth
of data when parsed.
Likelihood of Exploit: Low to Medium
Applicable PlatformsLanguage: XML
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
Availability | DoS: resource consumption
(other) | If parsed, recursive entity references allow the attacker to expand
data exponentially, quickly consuming all system resources. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Operation | | If possible, prohibit the use of DTDs or use an XML parser that limits
the expansion of recursive DTD entities. | | |
Implementation | | Before parsing XML files with associated DTDs, scan for recursive
entity declarations and do not continue parsing potentially explosive
content. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-776 ChildOf CWE-409 | Weakness | CWE-1000CWE-699 | |
Demonstrative Examples (Details)
- The DTD and the very brief XML below illustrate what is meant by an
XML bomb. The ZERO entity contains one character, the letter A. The choice
of entity name ZERO is being used to indicate length equivalent to that
exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers
to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or
2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32
characters in length, or 4 GB, probably consuming far more data than
expected. (Demonstrative Example Id DX-53)
Observed Examples
- CVE-2009-1955 : XML bomb in web server module
- CVE-2003-1564 : Parsing library allows XML bomb
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
WASC | 44 | XML Entity Expansion | |
References:
- Amit Klein .Multiple vendors XML parser (and SOAP/WebServices server)
Denial of Service attack using DTD. 2002-12-16.
- Rami Jaamour .XML security: Preventing XML bombs. 2006-02-22.
- Didier Stevens .Dismantling an XML-Bomb. 2008-09-23.
- Robert Auger .XML Entity Expansion.
- Elliotte Rusty Harold .Tip: Configure SAX parsers for secure
processing. 2005-05-27.
- ..