Exponential Entity Expansion (Billion Laughs Attack)

An exponential entity expansion, or "billion laughs" attack is a type of denial-of-service (DoS) attack. It is aimed at parsers of markup languages like XML or YAML that allow macro expansions. The detector identifies endpoints vulnerable to maliciously crafted documents containing recursive entity definitions that expand exponentially during parsing.

Billion laughs attacks exploit XML parsers by defining nested entities that expand recursively, causing exponential memory consumption. An attacker submits a small XML document (often under 1KB) containing entities that reference each other in expanding patterns. When the parser attempts to resolve these entities, memory usage explodes from kilobytes to gigabytes within seconds, exhausting server resources. This causes application crashes, service unavailability, and denial of service for legitimate users. The attack is particularly effective because the malicious payload is compact and appears benign until parsing begins.

Defenses against this kind of attack include capping the memory allocated in an individual parser if loss of the document is acceptable, or treating entities symbolically and expanding them lazily only when (and to the extent) their content is to be used.