Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does the billion laughs XML DoS attack work?

Tags:

xml

<!DOCTYPE root [  <!ENTITY ha "Ha !">  <!ENTITY ha2 "&ha; &ha;">  <!ENTITY ha3 "&ha2; &ha2;">  <!ENTITY ha4 "&ha3; &ha3;">  <!ENTITY ha5 "&ha4; &ha4;">  ...  <!ENTITY ha128 "&ha127; &ha127;">  ]>  <root>&ha128;</root> 

supposedly this is called a billion laughs DoS attack.

does anyone know how it works?

like image 627
Alex Gordon Avatar asked Aug 10 '10 16:08

Alex Gordon


People also ask

Which type of DoS attack is represented by the billion laughs attack against XML parsers?

In computer security, a billion laughs attack is a type of denial-of-service (DoS) attack which is aimed at parsers of XML documents. It is also referred to as an XML bomb or as an exponential entity expansion attack.

What impact does billion laughs attack have?

Impact Of XXE And A Billion Laughs Attacks XXE can cause information leakage, it can leak system files that have critical data. Data obtained from XXE can be used to target websites for additional vulnerabilities. A billion Laughs can cause service outage or a Denial Of Service attack.

What is XML bomb attack?

XML bomb. An XML bomb is a small but dangerous message that is composed and sent with the intent of overwhelming the program that parses XML files. When the XML parser tries to process an XML bomb, the data feeds on itself and grows exponentially.

What is quadratic blowup?

"An XML quadratic blowup attack is similar to a Billion Laughs attack. Essentially, it exploits the use of entity expansion. Instead of deferring to the use of nested entities, it replicates one large entity using a couple thousand characters repeatedly.


1 Answers

The Billion Laughs attack is a denial-of-service attack that targets XML parsers. The Billion Laughs attack is also known as an XML bomb, or more esoterically, the exponential entity expansion attack. A Billion Laughs attack can occur even when using well-formed XML and can also pass XML schema validation.

The vanilla Billion Laughs attack is illustrated in the XML file represented below.

<?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> 

In this example, there are 10 different XML entities, lollol9. The first entity, lol is defined to be the string “lol”. However, each of the other entities are defined to be 10 of another entity. The document content section of this XML file contains a reference to only one instance of the entity lol9. However, when this is being parsed by a DOM or SAX parser, when lol9 is encountered, it is expanded into 10 lol8s, each of which is expanded into 10 lol7s, and so on and so forth. By the time everything is expanded to the text lol, there are 100,000,000 instances of the string "lol". If there was one more entity, or lol was defined as 10 strings of “lol”, there would be a Billion “lol”s, hence the name of the attack. Needless to say, this many expansions consumes an exponential amount of resources and time, causing the DOS.

A more extensive explanation exists on my blog.

like image 102
cytinus Avatar answered Sep 25 '22 21:09

cytinus