Application Security Terminology


Svg Vector Icons : Return to Glossary

XML Entity Expansion

XML entity expansion exploits a capability of XML document type definitions that allows the creation of custom macros, called entities. By recursively defining a set of custom entities at the top of a document, an attacker can overwhelm parsers that attempt to completely resolve these entities, resulting in a denial-of-service condition.

XML Entity Expansion

The XML entity expansion attack requires that the target must receive XML input but either fail to provide an upper limit for entity expansion or provide a limit that is so large that it does not preclude significant resource consumption. An attacker submits an XML document to a target application where the XML document uses nested entity expansion to produce an excessively large output XML. 

XML allows the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory, where a small number of nested expansions can result in an exponential growth in demands on memory.