api data_error ai_generated true

400 Bad Request: XML parse error - entity expansion limit exceeded

ID: api/xml-parse-error-entity-expansion

Also available as: JSON · Markdown · 中文
85%Fix Rate
83%Confidence
1Evidence
2024-01-10First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
Java Xerces 2.12+ active
Python defusedxml 0.7+ active
libxml2 2.9+ active
Spring Boot 3.x active

Root Cause

The XML request body contains deeply nested or numerous entity references that exceed the parser's entity expansion limit (e.g., billion laughs attack protection).

generic

中文

XML 请求体包含深度嵌套或大量实体引用,超过了解析器的实体扩展限制(例如,十亿笑攻击保护)。

Official Documentation

https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

Workarounds

  1. 90% success Validate and sanitize XML input before parsing. Example using Python defusedxml: from defusedxml import ElementTree import io # This parser will raise an exception on entity expansion attacks try: tree = ElementTree.parse(io.StringIO(xml_string)) except EntitiesForbidden: print('Entity expansion attack detected') 
    Validate and sanitize XML input before parsing. Example using Python defusedxml:
from defusedxml import ElementTree
import io
# This parser will raise an exception on entity expansion attacks
try:
    tree = ElementTree.parse(io.StringIO(xml_string))
except EntitiesForbidden:
    print('Entity expansion attack detected')
  2. 85% success Use a JSON or other non-XML format for the API if XML entity expansion is not required. 
    Use a JSON or other non-XML format for the API if XML entity expansion is not required.
  3. 80% success Implement a custom input filter to reject XML with excessive entity declarations before parsing. 
    Implement a custom input filter to reject XML with excessive entity declarations before parsing.

中文步骤

  1. Validate and sanitize XML input before parsing. Example using Python defusedxml:
from defusedxml import ElementTree
import io
# This parser will raise an exception on entity expansion attacks
try:
    tree = ElementTree.parse(io.StringIO(xml_string))
except EntitiesForbidden:
    print('Entity expansion attack detected')
  2. Use a JSON or other non-XML format for the API if XML entity expansion is not required.
  3. Implement a custom input filter to reject XML with excessive entity declarations before parsing.

Dead Ends

Common approaches that don't work:

  1. 60% fail

    This may make the application vulnerable to denial-of-service attacks; also, the error may still occur if the input is malicious.

  2. 50% fail

    Most secure parsers have similar limits; the underlying issue is the input data, not the parser.

  3. 80% fail

    This removes security protections and may allow injection attacks, without fixing the entity expansion problem.