
Billion laughs attack - henning
https://en.wikipedia.org/wiki/Billion_laughs_attack
======
arkadiyt
If you're parsing XML then external entities (allowing local file inclusion or
server side request forgery) are much more dangerous for you than this denial
of service. OWASP has a cheat sheet for disabling XXE on a few different
parsers:

[https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Pr...](https://www.owasp.org/index.php/XML_External_Entity_\(XXE\)_Prevention_Cheat_Sheet)

------
robko
Interestingly, many browsers are still susceptible to this attack, for example
when used in SVG files (WARNING: might crash your browser and/or operating
system): [https://jsfiddle.net/e3guLn08/](https://jsfiddle.net/e3guLn08/)

~~~
kazinator
Browsers are susceptible to a server that generates an infinite HTML page
(e.g. CGI shell script calling "yes <arg>"), and also to thing called
JavaScript that can eat all your memory programmatically (and does exactly so
on a regular basis).

------
berbec
Is this just a 21st century zipbomb?

0:
[https://en.m.wikipedia.org/wiki/Zip_bomb](https://en.m.wikipedia.org/wiki/Zip_bomb)

~~~
tdurden
The linked Wikipedia entry specifically references zip bombs as "a similar
attack utilizing zip archives"

------
AdmiralAsshat
And here I thought this would be a variant of the hypothetical Chinese chair
attack: [https://www.straightdope.com/columns/read/142/if-all-
chinese...](https://www.straightdope.com/columns/read/142/if-all-chinese-
jumped-at-once-would-cataclysm-result/)

------
kristianp
A similar attack on CSS in browsers was shown recently here:
[https://cras.sh/](https://cras.sh/)

------
kazinator
> _A "Billion laughs" attack should exist for any file format that can contain
> references, for example this YAML bomb:_

C preprocessor?

    
    
      $ gcc -E - | wc
      #define EXP(X) X X X X X X X X X X X X X X X X
      #define LOL1 EXP(LOL)
      #define LOL2 EXP(LOL1)
      #define LOL3 EXP(LOL2)
      #define LOL4 EXP(LOL3)
      #define LOL5 EXP(LOL4)
      LOL5
      [Ctrl-D][Enter]
      11 1048588 4194376
    

Not normally considered a "file format", though. People don't open a C
preprocessor attachment in their e-mail only to have some application grind
their PC and crash. Or use this for RPC calls and whatnot.

------
sytringy05
This is loads of fun against batteries included web frameworks like rail,
grails, play framework and so on. Not sure about now, but a few years ago
basically all of them were susceptible to this and XXE and it was extremely
difficult to disable in the XML parsers.

------
kerng
This was been around for well over a decade. Interestingly though, denial of
service is the less interesting issue that external entity parsing comes with.
It can lead all the way to data exfiltration and remote code execution.

------
aussieguy1234
Time to switch to JSON

~~~
kerng
Yep, there you can have direct code execution with some parses also... fun
times. Creating objects out of untrusted data can be difficult.

------
mitchtbaum
This is why I switched from yaml to scl. (Rust)

[https://github.com/Keats/scl](https://github.com/Keats/scl)

EDIT: In spite of those who are downvoting my comment without even replying,
I'm leaving it anyway; cause sharing good software outweighs whatever loss
they intend to inflict.

~~~
Midnightas
Is Rust the Arch of programming languages?

"Btw I use Rust".

~~~
mitchtbaum
> the Arch of programming languages

I don't get your analogy.

~~~
yareally
I think they were getting at this:

How do you know someone uses "X"? Don't worry, they'll tell you.

~~~
vuln
How do you know if an individual is a vegan, does CrossFit, etc? Don't worry
they'll tell you.

~~~
sverige
An elderly lady comes into the police station crying hysterically. "I've just
been mugged!" she cries.

The desk sergeant asks, "Can you describe the mugger?"

"Not really, he grabbed me from behind. I know he's a man, bigger than me, and
he's vegan."

"How on earth do you know he's vegan?"

"He bloody told me!"

