返回 Skill 列表
extension
分类: 开发与工程无需 API Key

cwe-776-xml-entity-expansion

当需要修复Java代码中的CWE-776(XML实体扩展(十亿笑声))漏洞时,请使用此技能。触发于静态应用程序安全测试结果、安全审查或修复xml实体扩展(十亿笑声)问题时。

person作者: jakexiaohubgithub

CWE-776 XML Entity Expansion (Billion Laughs)

Description

XML Entity Expansion (Billion Laughs)

Reference: https://cwe.mitre.org/data/definitions/776.html

OWASP Category: A05:2021 – Security Misconfiguration


Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: DTD enabled allows entity expansion
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
// Default settings allow entity expansion attack
Document doc = factory.newDocumentBuilder().parse(xmlInput);

Why it's vulnerable: This pattern is vulnerable to XML Entity Expansion (Billion Laughs)


Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Disable DTD and entity expansion
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
factory.setExpandEntityReferences(false);
Document doc = factory.newDocumentBuilder().parse(xmlInput);

Why it's secure: Implements proper protection against XML Entity Expansion (Billion Laughs)


Detection Pattern

Look for these patterns in your codebase:

# Find XML parsing without security features
grep -rn "DocumentBuilderFactory\\|SAXParser" --include="*.java" | grep -v "disallow-doctype"

Remediation Steps

  1. Disable DOCTYPE declarations

  2. Enable secure processing feature

  3. Set entity expansion limit

  4. Disable entity reference expansion


Key Imports


import javax.xml.parsers.DocumentBuilderFactory;

import javax.xml.XMLConstants;


Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code


Trigger Examples

Fix CWE-776 vulnerability
Resolve XML Entity Expansion (Billion Laughs) issue
Secure this Java code against xml entity expansion (billion laughs)
SAST reports CWE-776

Common Vulnerable Locations

| Layer | Files | Patterns | |-------|-------|----------|

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |


References


Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07