Corgea LogoCorgea Security Hub

CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Learn about CWE-776 (Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')), its security impact, exploitation methods, and prevention guidelines.

What is Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')?

• Overview: This vulnerability occurs when XML documents use DTDs with recursive entity references that are not properly restricted, leading to excessive data expansion during parsing.

• Exploitation Methods:

  • Attackers can craft XML documents with deeply nested or recursive entity references.
  • Common techniques include creating a "billion laughs" attack, where entities expand excessively, overwhelming system resources.

• Security Impact:

  • Direct consequences include denial of service due to resource exhaustion.
  • Potential cascading effects could include system downtime and unavailability of services.
  • Business impact may involve loss of customer trust, revenue loss, and increased operational costs.

• Prevention Guidelines:

  • Disable DTD processing if not needed, or limit the depth and number of entity expansions.
  • Validate and sanitize XML inputs to ensure they do not include malicious DTDs.
  • Use secure XML parsers and libraries that provide protection against such expansion attacks.
Corgea can automatically detect and fix Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Medium

Affected Languages: XML

Affected Technologies: Not specified

Vulnerable Code Example

XML Example

<!DOCTYPE data [
    <!ENTITY x0 "foo">
    <!ENTITY x1 "&x0;&x0;&x0;&x0;&x0;&x0;&x0;&x0;&x0;&x0;">
    <!ENTITY x2 "&x1;&x1;&x1;&x1;&x1;&x1;&x1;&x1;&x1;&x1;">
    <!ENTITY x3 "&x2;&x2;&x2;&x2;&x2;&x2;&x2;&x2;&x2;&x2;">
    <!ENTITY x4 "&x3;&x3;&x3;&x3;&x3;&x3;&x3;&x3;&x3;&x3;">
    <!ENTITY x5 "&x4;&x4;&x4;&x4;&x4;&x4;&x4;&x4;&x4;&x4;">
    <!ENTITY x6 "&x5;&x5;&x5;&x5;&x5;&x5;&x5;&x5;&x5;&x5;">
    <!ENTITY x7 "&x6;&x6;&x6;&x6;&x6;&x6;&x6;&x6;&x6;&x6;">
    <!ENTITY x8 "&x7;&x7;&x7;&x7;&x7;&x7;&x7;&x7;&x7;&x7;">
    <!ENTITY x9 "&x8;&x8;&x8;&x8;&x8;&x8;&x8;&x8;&x8;&x8;">
    <!ENTITY boom "&x9;&x9;&x9;&x9;&x9;&x9;&x9;&x9;&x9;&x9;">
]>
<data>&boom;</data>

Explanation:

  • The above XML document defines a series of nested entity expansions. This is a classic "Billion Laughs" attack, where the recursive expansion of entities can cause the XML parser to consume excessive memory and CPU resources, potentially leading to a Denial of Service (DoS) condition.

How to fix Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')?

To mitigate this vulnerability, you should disable DTD processing entirely unless it's absolutely necessary for your application. If DTD processing is required, restrict the number of entity expansions to avoid excessive resource consumption. This can be achieved by configuring the XML parser to disallow or limit DTDs and external entity references.

Fixed Code Example

import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.DocumentBuilder;
import org.w3c.dom.Document;
import java.io.InputStream;

public class XMLParser {
    public Document parseXML(InputStream inputStream) throws Exception {
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        // Disable DTDs (doctypes) altogether as they are not used
        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        // Disable external entity declarations
        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
        factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

        DocumentBuilder builder = factory.newDocumentBuilder();
        Document document = builder.parse(inputStream);
        return document;
    }
}

Explanation:

  • The fixed code configures the XML parser to disable DTDs by setting the feature http://apache.org/xml/features/disallow-doctype-decl to true. This prevents the parser from processing any DTDs, which are not needed in this context.
  • It also disables the processing of external entities by setting http://xml.org/sax/features/external-general-entities and http://xml.org/sax/features/external-parameter-entities to false. This ensures that the parser does not attempt to resolve external entities, which could be used to exploit the application.
  • These configurations mitigate the risk of XML Entity Expansion by preventing the parser from resolving and expanding potentially malicious DTDs, thereby protecting the application from resource exhaustion attacks.

Fixed Code Example

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') and get remediation guidance

Start for free and no credit card needed.