Name XML Quadratic Expansion
Summary An adversary exploits a few properties of XML(substitution entities and inline DTDs) to cause a denial of service situation due to excessive memory being allocated to fully expand the XML. The result of this denial of service could cause the application to freeze or crash.
Prerequisites This type of attack requires a server that accepts XML data and parses the data.
Solutions Implementation: Disable altogether the use of inline DTD schemas in your XML parsing objects. If must use DTD, normalize, filter and white list and parse with methods and routines that will detect entity expansion from untrusted sources.
Related Weaknesses
CWE ID Description
CWE-770 Allocation of Resources Without Limits or Throttling
Back to Top