Recursion is the process of repeating items in a self-similar way, and that’s what the XML Entity Expansion (XEE) is about: a small string is referenced a huge number of times.
Technology standards sometimes include features that affect the security of applications. Amit Klein found in 2002 that XML entities could be used to make parsers consume an unlimited amount of resources and then crash, which is called a billion laughs attack. When the XML parser tries to resolve, the external entities that are included cause the application to start consuming all the available memory until the process crashes.
This example shows an XML document with an embedded DTD schema that performs the attack.
The entity LOL9 in the example will be resolved as the 10 entities defined in LOL8; then each of these entities will be resolved in LOL7 and so on. Finally, the CPU and/or memory will be affected by parsing the 3*109 (3.000.000.000) entities defined in this schema and it could make the parser crash.
The SOAP specification states that a SOAP message must not contain a Document Type Declaration (DTD). Therefore, a SOAP processor can reject any SOAP message that contains a DTD.
Regardless of what the specification indicates, certain SOAP implementations do parse DTD schemas within SOAP messages:
- CVE-2013-1643: The SOAP parser (in PHP before 5.3.22 and 5.4.x before 5.4.13) allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference.
- CVE-2010-1632: Apache Axis2 before 1.5.2 (as used in IBM WebSphere Application Server 7.0 through 188.8.131.52, IBM Feature Pack for Web Services 184.108.40.206 through 220.127.116.11, IBM Feature Pack for Web 2.0 18.104.22.168, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products) does not properly reject DTDs in SOAP messages.
- CVE-2004-2244: The XML parser (in Oracle 9i Application Server Release 2 22.214.171.124 and 126.96.36.199, 188.8.131.52 and earlier, and Release 1 184.108.40.206 and 220.127.116.11.2, and Database Server Release 2 18.104.22.168 and later) allows remote attackers to cause a denial of service with CPU and memory consumption via a SOAP message containing a crafted DTD.
Here is an example of a parser that is not following the specification and is instead referencing a DTD on a SOAP message .