XEE attack (billion laughs attack)

• What is an XEE attack?
• Vulnerable code examples
• Peculiarities of default parser settings
• Additional links

An XEE attack is a type of an application attack. It's also called a billion laughs attack or an XML bombs attack. The essence of this attack is that an insecurely configured XML parser processes external data. As a result of this attack, you may get denial of service (DoS).

Note. XEE and XXE are different attack types. You can read about an XXE attack here. 

What is an XEE attack?

XML files may contain the document type definition (DTD). DTD allows us to define and use XML entities. Entities can either refer to some external resource or be fully defined inside the document. In the latter case, they can be represented by a string or other entities, for example.

An XML file with examples of such entities:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE foo [
  <!ENTITY lol "lol">
  <!ENTITY lol1 "&lol;&lol;">
]>
<foo>&lol1;</foo>

The file contains the 'lol' and 'lol1' entities. The first entity is defined through a string, and the second one — through other entities.  The value of the 'lol1' entity results in the 'lollol' string.

You can increase the nesting and the number of entities. For example, like this:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE foo [
  <!ENTITY lol "lol">
  <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
]>
<foo>&lol2;</foo>

The 'lol2' entity expands as follows:

lollollollollollollollollollollollollollollollollollollollollollollol
lollollollollollollollollollollollollollollollollollollollollollollol
lollollollollollollollollollollollollollollollollollollollollollollol
lollollollollollollollollollollollollollollollollollollollollollollol
lollollollollollollollol

So-called XML bombs are created in a similar way, by increasing the number of nested entities. XML bombs are small files that enlarge when entities are expanded. That's where the name of this attack type comes from:

• XEE (XML Entity Expansion);
• billion laughs (because of a multiple repetition of 'lol').

Thus, a hacker can perform a DoS attack with XML bombs if:

• an attacker can pass an XML bomb to an application;
• an XML parser that processes this file has an insecure configuration.

Vulnerable code examples

Below is an example of code vulnerable to an XEE attack:

static void XEETarget(String pathToXml)
{
  XmlReaderSettings settings = new XmlReaderSettings()
  {
    DtdProcessing = DtdProcessing.Parse,
    MaxCharactersFromEntities = 0
  };

  using (var xml = File.OpenRead(pathToXml))
  {
    using (var reader = XmlReader.Create(xml, settings))
    {
      while (reader.Read())
      {
        if (reader.NodeType == XmlNodeType.Text)
          Console.WriteLine(reader.Value);
      }
    }
  }
}

In this code fragment, reader parses an XML file. This parser is vulnerable to XML bombs since it was created with insecure settings:

• DTD processing is allowed. The DtdProcessing property has the DtdProcessing.Parse value;
• there's no limit on the size of entities. The MaxCharactersFromEntities property has 0.

As a result, the parser may freeze in attempt to parse an XML bomb and start consuming a large amount of memory.

If you want to make a parser resistant to XEE attacks, it is enough to set at least one of the following options for it:

• prohibit or ignore DTD processing. Set the Prohibit/Ignore value for the DtdProcessing property.
• set limits on the maximum size of entities.

Below is an example of settings in which the DTD processing is allowed, but the maximum size of entities is limited:

XmlReaderSettings settings = new XmlReaderSettings()
{
  DtdProcessing = DtdProcessing.Parse,
  MaxCharactersFromEntities = 1024
};

If, during the XML file parsing, the size of entities exceeds the set limits, then the XML parser throws an exception of the XmlException type.

Peculiarities of default parser settings

Note that the default settings of some XML parsers may vary in different versions of libraries. For example, Microsoft changed the settings of some XML parsers between .NET Framework 4.5.1 and .NET Framework 4.5.2, making them more secure by default.

Look at the example:

static void XEETarget(String pathToXml)
{
  using (var xml = File.OpenRead(pathToXml))
  {
    var settings = new XmlReaderSettings()
    {
      DtdProcessing = DtdProcessing.Parse
    };

    using (var reader = XmlReader.Create(xml, settings))
    {
      while (reader.Read())
      {
        // Process XML
      }
    }
  }
}

This code fragment is vulnerable to XEE attacks in .NET Framework 4.5.1 and older versions. It does not set limits on entities size — the value of the MaxCharactersFromEntities property is 0. In .NET Framework 4.5.2 and newer versions a limit on entities size is set by default. As a result, this code fragment is resistant to XEE attacks.

Additional links

• How Visual Studio 2022 ate up 100 GB of memory and what XML bombs had to do with it
• CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
• XML External Entity Prevention Cheat Sheet
• OWASP, vulnerabilities, and taint analysis in PVS-Studio for C#. Stir, but don't shake
• V5615: Potential XEE vulnerability. Insecure XML parser is used to process potentially tainted data
• XXE attack

0

0

0

0

SHARE

We can email you a selection of our best articles once a month