Tag Archives: CWE- 776

CWE-776 – Improper Restriction of Recursive Entity References in DTDs (‘XML Entity Expansion’)

Read Time:1 Minute, 0 Second

Description

The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.

Modes of Introduction:

– Implementation

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-674
CWE-674
CWE-409

 

Consequences

Availability: DoS: Resource Consumption (Other)

If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources.

 

Potential Mitigations

Phase: Operation

Effectiveness:

Description: 

If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.

Phase: Implementation

Effectiveness:

Description: 

Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.

CVE References

 

  • CVE-2011-3288
    • XML bomb / XEE in enterprise communication product.
  • CVE-2011-1755
    • “Billion laughs” attack in XMPP server daemon.