Skills
skills/developerscoffee/java-cwe-security-skills/cwe-776-xml-entity-expansion

cwe-776-xml-entity-expansion

SKILL.md

CWE-776 XML Entity Expansion (Billion Laughs)

Description

XML Entity Expansion (Billion Laughs)

Reference: https://cwe.mitre.org/data/definitions/776.html

OWASP Category: A05:2021 – Security Misconfiguration

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: DTD enabled allows entity expansion
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
// Default settings allow entity expansion attack
Document doc = factory.newDocumentBuilder().parse(xmlInput);

Why it's vulnerable: This pattern is vulnerable to XML Entity Expansion (Billion Laughs)

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Disable DTD and entity expansion
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
factory.setExpandEntityReferences(false);
Document doc = factory.newDocumentBuilder().parse(xmlInput);

Why it's secure: Implements proper protection against XML Entity Expansion (Billion Laughs)

Detection Pattern

Look for these patterns in your codebase:

# Find XML parsing without security features
grep -rn "DocumentBuilderFactory\\|SAXParser" --include="*.java" | grep -v "disallow-doctype"

Remediation Steps

  1. Disable DOCTYPE declarations

  2. Enable secure processing feature

  3. Set entity expansion limit

  4. Disable entity reference expansion

Key Imports


import javax.xml.parsers.DocumentBuilderFactory;

import javax.xml.XMLConstants;

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-776 vulnerability
Resolve XML Entity Expansion (Billion Laughs) issue
Secure this Java code against xml entity expansion (billion laughs)
SAST reports CWE-776

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Weekly Installs
1
Repository
developerscoffe…y-skills
First Seen
10 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
mcpjam1
claude-code1
replit1
junie1
windsurf1
zencoder1