CWE-776
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Mittel
Draft
2009-07-27
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Benachrichtigungen für ein CWE
Bleiben Sie über alle Änderungen zu einem bestimmten CWE informiert.
Name: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
CWE-Beschreibung
If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.
Allgemeine Informationen
Einführungsmodi
ImplementationOperation
Anwendbare Plattformen
Sprache
Class: Not Language-Specific (Undetermined)Name: XML (Undetermined)
Technologien
Class: Not Technology-Specific (Undetermined)Häufige Konsequenzen
| Bereich | Auswirkung | Wahrscheinlichkeit |
|---|---|---|
| Availability | DoS: Resource Consumption (Other) Note: If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources. |
Beobachtete Beispiele
| Referenzen | Beschreibung |
|---|---|
CVE-2008-3281 | XEE in XML-parsing library. |
CVE-2011-3288 | XML bomb / XEE in enterprise communication product. |
CVE-2011-1755 | "Billion laughs" attack in XMPP server daemon. |
CVE-2009-1955 | XML bomb in web server module |
CVE-2003-1564 | Parsing library allows XML bomb |
Mögliche Gegenmaßnahmen
Phases : OperationIf possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.
Phases : Implementation
Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.
Erkennungsmethoden
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Wirksamkeit : High
Hinweise zur Schwachstellen-Zuordnung
Begründung : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Kommentar : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Verwandte Angriffsmuster
| CAPEC-ID | Name des Angriffsmusters |
|---|---|
| CAPEC-197 | Exponential Data Expansion
An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory. |
Referenzen
REF-676
Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTDAmit Klein.
https://seclists.org/fulldisclosure/2002/Dec/229
REF-677
XML security: Preventing XML bombsRami Jaamour.
http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1168442,00.html?asrc=SS_CLA_302%20%20558&psrc=CLT_92#
REF-678
Dismantling an XML-BombDidier Stevens.
https://blog.didierstevens.com/2008/09/23/dismantling-an-xml-bomb/
REF-679
XML Entity ExpansionRobert Auger.
http://projects.webappsec.org/w/page/13247002/XML%20Entity%20Expansion
REF-680
Tip: Configure SAX parsers for secure processingElliotte Rusty Harold.
https://web.archive.org/web/20101005080451/http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html
REF-500
XML Denial of Service Attacks and DefensesBryan Sullivan.
https://learn.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-of-service-attacks-and-defenses
REF-682
Preventing Entity Expansion Attacks in JAXBBlaise Doughan.
http://blog.bdoughan.com/2011/03/preventing-entity-expansion-attacks-in.html
Einreichung
| Name | Organisation | Datum | Veröffentlichungsdatum | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | 1.5 |
Änderungen
| Name | Organisation | Datum | Kommentar |
|---|---|---|---|
| CWE Content Team | MITRE | updated Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Alternate_Terms, Applicable_Platforms, Description, Name, Observed_Examples, References, Relationships | |
| CWE Content Team | MITRE | updated Likelihood_of_Exploit, References | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships, Type | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Detection_Factors, References, Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Relationships, Weakness_Ordinalities |
