CWE-776 Detail

CWE-776

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Medium
Draft
2009-07-27
00h00 +00:00
2023-06-29
00h00 +00:00
CWE Mitre.org
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

CWE Description

If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.

General Informations

Modes Of Introduction

Implementation
Operation

Applicable Platforms

Language

Name: XML (Undetermined)

Common Consequences

Scope Impact Likelihood
AvailabilityDoS: Resource Consumption (Other)

Note: If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources.

Observed Examples

References Description

CVE-2008-3281

XEE in XML-parsing library.

CVE-2011-3288

XML bomb / XEE in enterprise communication product.

CVE-2011-1755

"Billion laughs" attack in XMPP server daemon.

CVE-2009-1955

XML bomb in web server module

CVE-2003-1564

Parsing library allows XML bomb

Potential Mitigations

Phases : Operation
If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.
Phases : Implementation
Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.

Detection Methods

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Related Attack Patterns

CAPEC-ID Attack Pattern Name
CAPEC-197 Exponential Data Expansion
An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.

References

REF-676

Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD
Amit Klein.
https://seclists.org/fulldisclosure/2002/Dec/229

REF-677

XML security: Preventing XML bombs
Rami Jaamour.
http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1168442,00.html?asrc=SS_CLA_302%20%20558&psrc=CLT_92#

REF-678

Dismantling an XML-Bomb
Didier Stevens.
https://blog.didierstevens.com/2008/09/23/dismantling-an-xml-bomb/

REF-679

XML Entity Expansion
Robert Auger.
http://projects.webappsec.org/w/page/13247002/XML%20Entity%20Expansion

REF-680

Tip: Configure SAX parsers for secure processing
Elliotte Rusty Harold.
https://web.archive.org/web/20101005080451/http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html

REF-500

XML Denial of Service Attacks and Defenses
Bryan Sullivan.
https://learn.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-of-service-attacks-and-defenses

REF-682

Preventing Entity Expansion Attacks in JAXB
Blaise Doughan.
http://blog.bdoughan.com/2011/03/preventing-entity-expansion-attacks-in.html

Submission

Name Organization Date Date release Version
CWE Content Team MITRE 2009-06-30 +00:00 2009-07-27 +00:00 1.5

Modifications

Name Organization Date Comment
CWE Content Team MITRE 2010-02-16 +00:00 updated Taxonomy_Mappings
CWE Content Team MITRE 2010-12-13 +00:00 updated Relationships
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2013-02-21 +00:00 updated Alternate_Terms, Applicable_Platforms, Description, Name, Observed_Examples, References, Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Likelihood_of_Exploit, References
CWE Content Team MITRE 2018-03-27 +00:00 updated Relationships
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships, Type
CWE Content Team MITRE 2020-02-24 +00:00 updated Applicable_Platforms, Relationships
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-04-28 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes