Exponential Entity Expansion (Billion Laughs Attack)

Remediation

1. Limit entity expansion: Configure XML parsers to restrict the number and depth of entity expansions.
2. Disable external entities: Disable processing of external entities in XML parsers.
3. Resource limits: Implement memory and CPU limits for XML processing operations.
4. Use secure parsers: Use XML parsing libraries with built-in protection against entity expansion attacks.
5. Input validation: Validate and sanitize XML input before processing.

About

Exponential Entity Expansion, also known as the “Billion Laughs” attack, exploits XML entity expansion features to cause denial of service. Attackers craft XML documents with nested entity references that expand exponentially, consuming excessive memory and CPU resources during parsing.

Risks

High This attack can cause complete system denial of service, memory exhaustion, CPU overload, and application crashes, potentially affecting availability for all users.