Name XML External Entities Blowup
Summary This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
Prerequisites A server that has an implementation that accepts entities containing URI values.
Solutions This attack may be mitigated by tweaking the XML parser to not resolve external entities. If external entities are needed, then implement a custom XmlResolver that has a request timeout, data retrieval limit, and restrict resources it can retrieve locally.
Related Weaknesses
CWE ID Description
CWE-611 Improper Restriction of XML External Entity Reference
Back to Top