1. Home
  2. CWE Database
  3. CWE-776
Base · Medium

CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

CWE-776 · Base Level ·5 CVEs ·2 Mitigations

Description

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.

Potential Impact

Availability

DoS: Resource Consumption (Other)

Demonstrative Examples

The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.
Attack
<?xml version="1.0"?><!DOCTYPE MaliciousDTD [<!ENTITY ZERO "A"><!ENTITY ONE "&ZERO;&ZERO;"><!ENTITY TWO "&ONE;&ONE;">...<!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">]><data>&THIRTYTWO;</data>

Mitigations & Prevention

Operation

If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.

Implementation

Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2008-3281XEE in XML-parsing library.
CVE-2011-3288XML bomb / XEE in enterprise communication product.
CVE-2011-1755"Billion laughs" attack in XMPP server daemon.
CVE-2009-1955XML bomb in web server module
CVE-2003-1564Parsing library allows XML bomb

CWE-674: Uncontrolled Recursion

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as ...

CWE-405: Asymmetric Resource Consumption (Amplification)

The product does not properly control situations in which an adversary can cause the product to consume or produce exces...

Taxonomy Mappings

  • WASC: 44 — XML Entity Expansion

Frequently Asked Questions

What is CWE-776?

CWE-776 (Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

How can CWE-776 be exploited?

Attackers can exploit CWE-776 (Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')) to dos: resource consumption (other). This weakness is typically introduced during the Implementation, Operation phase of software development.

How do I prevent CWE-776?

Key mitigations include: If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.

What is the severity of CWE-776?

CWE-776 is classified as a Base-level weakness (Medium abstraction). It has been observed in 5 real-world CVEs.