Question 1

What is an XML bomb?

Accepted Answer

An XML bomb, also known as the Billion Laughs attack, is a denial-of-service attack that exploits XML entity expansion. A small XML document defines nested entities that expand exponentially, consuming gigabytes of memory when parsed. A related attack, XXE (XML External Entity), can read local files or make server-side requests.

Question 2

How do I prevent XML bomb attacks?

Accepted Answer

Disable DTD processing and external entity resolution in your XML parser. Set limits on entity expansion depth and total expansion size. Use defused XML parsing libraries (like defusedxml in Python), validate XML against a strict schema, and consider using simpler formats like JSON when XML features are not needed.

XML Bomb (Billion Laughs)

Challenges

Frequently Asked Questions