🟠High7.5

Billion Laughs Attack (XML Bomb)

Denial of Service attacks via recursive entity expansion causing memory exhaustion and CPU consumption.

CWE-776: Improper Restriction of Recursive Entity ReferencesOWASP Top 10:2021 - A05: Security Misconfiguration

Overview

The Billion Laughs attack (also known as an XML bomb or exponential entity expansion attack) is a Denial of Service attack that exploits XML entity expansion to consume excessive memory and CPU resources.

How It Works: Define entities that reference other entities recursively. Each level of expansion multiplies the data size exponentially, quickly exhausting server resources.

Attack Impact:

Memory exhaustion (OutOfMemoryError)
CPU saturation (100% utilization)
Application crash or hang
Server unavailability
Resource starvation for other users

Why It's Called "Billion Laughs": The classic payload expands the string "lol" billions of times through 9 levels of entity references, creating approximately 3GB of data from a tiny XML file.

Related Attacks:

Quadratic Blowup Attack (less severe expansion)
External Entity Expansion (combines with XXE)
DTD Recursion (similar principle in DTDs)

Classic Billion Laughs Payload

XMLbillion-laughs.xml⚠️ Vulnerable
<?xml version="1.0"?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

Exponential Expansion Mathematics

Let's calculate the expansion:

lol = "lol" (3 bytes)
lol1 = 10 × lol = 10 × 3 = 30 bytes
lol2 = 10 × lol1 = 10 × 30 = 300 bytes
lol3 = 10 × lol2 = 10 × 300 = 3,000 bytes
lol4 = 10 × lol3 = 10 × 3,000 = 30,000 bytes
lol5 = 10 × lol4 = 10 × 30,000 = 300,000 bytes
lol6 = 10 × lol5 = 10 × 300,000 = 3,000,000 bytes (3 MB)
lol7 = 10 × lol6 = 10 × 3 MB = 30 MB
lol8 = 10 × lol7 = 10 × 30 MB = 300 MB
lol9 = 10 × lol8 = 10 × 300 MB = 3,000 MB (3 GB)

Final Result: A 750-byte XML file expands to approximately 3 GB in memory!

Each reference level multiplies the size by 10, creating exponential growth: Size = base_size × (expansion_factor ^ levels) Size = 3 × (10 ^ 9) = 3,000,000,000 bytes

Attack Variants

XMLdos-variants.xml⚠️ Vulnerable
<!-- Quadratic Blowup (less severe but still effective) -->
<?xml version="1.0"?>
<!DOCTYPE bomb [
  <!ENTITY a "aaaaaaaaaa..." (10,000 a's)>
]>
<bomb>&a;&a;&a;&a;&a;...</bomb> (repeat &a; 10,000 times)
<!-- Creates 10,000 × 10,000 = 100,000,000 bytes (100 MB) -->

<!-- External Entity Expansion -->
<!DOCTYPE bomb [
  <!ENTITY xxe SYSTEM "file:///dev/random">
]>
<bomb>&xxe;</bomb>
<!-- Reads infinite random data, crashes parser -->

<!-- Parameter Entity Recursion -->
<!DOCTYPE bomb [
  <!ENTITY % a "&a;&a;">
  %a;
]>
<!-- Infinite recursion, stack overflow -->

Vulnerable Java Code

JavaVulnerableXMLParser.java⚠️ Vulnerable
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import java.io.ByteArrayInputStream;

public class VulnerableXMLParser {
    
    public void parseXML(String xmlData) {
        try {
            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
            
            // VULNERABLE: Default settings allow entity expansion
            // No limits on entity expansion depth or size
            
            DocumentBuilder builder = factory.newDocumentBuilder();
            Document doc = builder.parse(
                new ByteArrayInputStream(xmlData.getBytes())
            );
            
            // When billion laughs payload is parsed:
            // 1. Parser expands &lol9;
            // 2. Recursively expands &lol8; ten times
            // 3. Continues until expanding 1 billion "lol" strings
            // 4. OutOfMemoryError: Java heap space
            
            System.out.println("Parsed successfully");
            
        } catch (OutOfMemoryError e) {
            System.err.println("Memory exhausted!");
            // Application crashes or hangs
        } catch (Exception e) {
            System.err.println("Parse error: " + e.getMessage());
        }
    }
}

Secure Java Implementation

JavaSecureXMLParser.java✓ Secure
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.XMLConstants;
import org.w3c.dom.Document;
import java.io.ByteArrayInputStream;

public class SecureXMLParser {
    
    public Document parseXML(String xmlData) throws Exception {
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        
        // PRIMARY DEFENSE: Disable DOCTYPE declarations
        factory.setFeature(
            "http://apache.org/xml/features/disallow-doctype-decl",
            true  // Blocks all entity-based attacks
        );
        
        // If DOCTYPE needed, disable entity expansion
        factory.setFeature(
            XMLConstants.FEATURE_SECURE_PROCESSING,
            true  // Enables secure processing limits
        );
        factory.setExpandEntityReferences(false);  // Don't expand entities
        
        // Set entity expansion limits (if parser supports)
        factory.setAttribute(
            "http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit",
            "100"  // Maximum 100 entity expansions
        );
        
        // Disable external entities (prevents XXE + external expansion)
        factory.setFeature(
            "http://xml.org/sax/features/external-general-entities",
            false
        );
        factory.setFeature(
            "http://xml.org/sax/features/external-parameter-entities",
            false
        );
        factory.setFeature(
            "http://apache.org/xml/features/nonvalidating/load-external-dtd",
            false
        );
        
        DocumentBuilder builder = factory.newDocumentBuilder();
        return builder.parse(new ByteArrayInputStream(xmlData.getBytes()));
    }
}

Python Defense with defusedxml

Pythonsecure_parser.py✓ Secure
from defusedxml import ElementTree as DefusedET
from defusedxml.lxml import fromstring as defused_fromstring
import xml.etree.ElementTree as ET

# VULNERABLE: Standard library without protection
def parse_vulnerable(xml_data):
    # This will expand entities and crash on billion laughs
    tree = ET.fromstring(xml_data)
    return tree

# SECURE: Using defusedxml
def parse_secure(xml_data):
    # defusedxml blocks:
    # - Entity expansion beyond safe limits
    # - DTD processing
    # - External entity references
    try:
        tree = DefusedET.fromstring(xml_data)
        return tree
    except DefusedET.DTDForbidden:
        print("DTD processing blocked")
    except DefusedET.EntitiesForbidden:
        print("Entity expansion blocked")
    except DefusedET.ExternalReferenceForbidden:
        print("External reference blocked")

# For lxml:
def parse_lxml_secure(xml_data):
    # defusedxml.lxml automatically applies protections
    tree = defused_fromstring(xml_data)
    return tree

# Manual configuration (if defusedxml not available):
from lxml import etree

def parse_manual_secure(xml_data):
    parser = etree.XMLParser(
        resolve_entities=False,  # Don't expand entities
        no_network=True,         # Block network access
        huge_tree=False,         # Limit tree size
        load_dtd=False          # Don't load DTDs
    )
    tree = etree.fromstring(xml_data, parser)
    return tree

Detection and Monitoring

Code Review Indicators:

XML parsers without entity expansion limits
Missing DOCTYPE restrictions
No use of secure parsing libraries (defusedxml, etc.)
ExpandEntityReferences enabled
No memory or CPU limits for XML processing

Runtime Detection:

Sudden CPU spikes during XML parsing
Memory usage rapidly increasing to maximum
OutOfMemoryError or similar exceptions
Application hang or unresponsiveness
Long parse times for small XML files

Testing Methodology:

Submit classic billion laughs payload
Monitor server memory and CPU
Measure parse time (should timeout or reject)
Try variants with different expansion depths
Test quadratic blowup attacks
Verify parser limits are enforced

Monitoring & Alerting:

Alert on high memory usage during XML parsing
Track XML parse duration metrics
Monitor for OutOfMemoryError exceptions
Set resource limits (cgroups, containers)
Implement parse timeouts

Prevention Best Practices

Primary Defenses:

Disable DOCTYPE Processing: Strongest protection - completely disallow DOCTYPE declarations Blocks all entity-based attacks (XXE and DoS)
Disable Entity Expansion: If DOCTYPE needed, disable entity reference expansion Set expandEntityReferences=false
Use Secure Libraries: Python: defusedxml, lxml with secure config Java: Xerces with secure features .NET: XmlReaderSettings with secure defaults PHP: libxml_disable_entity_loader(true)
Set Entity Expansion Limits: Java: entityExpansionLimit (default 64000) Configure lower limits for untrusted input Limit entity nesting depth

Additional Defenses:

Resource Limits: Set maximum memory for XML parser processes Use containers/cgroups to limit resources Implement parse timeouts
Input Validation: Reject XML with excessive <!ENTITY definitions Limit XML document size (before parsing) Check for suspicious patterns
Defense in Depth: Combine multiple protections Monitor and alert on anomalies Regular security testing