Hacker News new | past | comments | ask | show | jobs | submit login
Billion laughs attack (wikipedia.org)
110 points by henning on Jan 6, 2019 | hide | past | favorite | 24 comments

If you're parsing XML then external entities (allowing local file inclusion or server side request forgery) are much more dangerous for you than this denial of service. OWASP has a cheat sheet for disabling XXE on a few different parsers:


Interestingly, many browsers are still susceptible to this attack, for example when used in SVG files (WARNING: might crash your browser and/or operating system): https://jsfiddle.net/e3guLn08/

Browsers are susceptible to a server that generates an infinite HTML page (e.g. CGI shell script calling "yes <arg>"), and also to thing called JavaScript that can eat all your memory programmatically (and does exactly so on a regular basis).

Is this just a 21st century zipbomb?

0: https://en.m.wikipedia.org/wiki/Zip_bomb

The linked Wikipedia entry specifically references zip bombs as "a similar attack utilizing zip archives"

Pretty sure this existed in the 20th century too.

And here I thought this would be a variant of the hypothetical Chinese chair attack: https://www.straightdope.com/columns/read/142/if-all-chinese...

A similar attack on CSS in browsers was shown recently here: https://cras.sh/

> A "Billion laughs" attack should exist for any file format that can contain references, for example this YAML bomb:

C preprocessor?

  $ gcc -E - | wc
  #define EXP(X) X X X X X X X X X X X X X X X X
  #define LOL1 EXP(LOL)
  #define LOL2 EXP(LOL1)
  #define LOL3 EXP(LOL2)
  #define LOL4 EXP(LOL3)
  #define LOL5 EXP(LOL4)
  11 1048588 4194376
Not normally considered a "file format", though. People don't open a C preprocessor attachment in their e-mail only to have some application grind their PC and crash. Or use this for RPC calls and whatnot.

This is loads of fun against batteries included web frameworks like rail, grails, play framework and so on. Not sure about now, but a few years ago basically all of them were susceptible to this and XXE and it was extremely difficult to disable in the XML parsers.

This was been around for well over a decade. Interestingly though, denial of service is the less interesting issue that external entity parsing comes with. It can lead all the way to data exfiltration and remote code execution.

Time to switch to JSON

Yep, there you can have direct code execution with some parses also... fun times. Creating objects out of untrusted data can be difficult.

This is why I switched from yaml to scl. (Rust)


EDIT: In spite of those who are downvoting my comment without even replying, I'm leaving it anyway; cause sharing good software outweighs whatever loss they intend to inflict.

Funny you should mention that. I found this while trying to decide which YAML library to use for Rust. https://github.com/dtolnay/serde-yaml/issues/53

Yep, that issue and https://github.com/chyh1990/yaml-rust/issues/102 discuss the problem. But with scl we get a clean slate.

Is Rust the Arch of programming languages?

"Btw I use Rust".

I think that Rust has captured many developers that previously used Javascript, so it's their first introduction to things like static typing. As a result they are amazed that a compiler can show them errors in their code before it's run.

> the Arch of programming languages

I don't get your analogy.

I think they were getting at this:

How do you know someone uses "X"? Don't worry, they'll tell you.

How do you know if an individual is a vegan, does CrossFit, etc? Don't worry they'll tell you.

An elderly lady comes into the police station crying hysterically. "I've just been mugged!" she cries.

The desk sergeant asks, "Can you describe the mugger?"

"Not really, he grabbed me from behind. I know he's a man, bigger than me, and he's vegan."

"How on earth do you know he's vegan?"

"He bloody told me!"

"...new iPhone..."

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact