cwe-776-xml-entity-expansion

star 1

Use this skill when you need to remediate CWE-776 (XML Entity Expansion (Billion Laughs)) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing xml entity expansion (billion laughs) issues.

DevelopersCoffee By DevelopersCoffee schedule Updated 3/6/2026
play_arrow Run Skill in Manus View GitHub

name: cwe-776-xml-entity-expansion description: Use this skill when you need to remediate CWE-776 (XML Entity Expansion (Billion Laughs)) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing xml entity expansion (billion laughs) issues. version: 1.0.0 license: MIT tags:

  • security
  • java
  • cwe-776
  • remediation
  • sast

CWE-776 XML Entity Expansion (Billion Laughs)

Description

XML Entity Expansion (Billion Laughs)

Reference: https://cwe.mitre.org/data/definitions/776.html

OWASP Category: A05:2021 – Security Misconfiguration

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: DTD enabled allows entity expansion
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
// Default settings allow entity expansion attack
Document doc = factory.newDocumentBuilder().parse(xmlInput);

Why it's vulnerable: This pattern is vulnerable to XML Entity Expansion (Billion Laughs)

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Disable DTD and entity expansion
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
factory.setExpandEntityReferences(false);
Document doc = factory.newDocumentBuilder().parse(xmlInput);

Why it's secure: Implements proper protection against XML Entity Expansion (Billion Laughs)

Detection Pattern

Look for these patterns in your codebase:

# Find XML parsing without security features
grep -rn "DocumentBuilderFactory\\|SAXParser" --include="*.java" | grep -v "disallow-doctype"

Remediation Steps

  1. Disable DOCTYPE declarations

  2. Enable secure processing feature

  3. Set entity expansion limit

  4. Disable entity reference expansion

Key Imports


import javax.xml.parsers.DocumentBuilderFactory;

import javax.xml.XMLConstants;

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-776 vulnerability
Resolve XML Entity Expansion (Billion Laughs) issue
Secure this Java code against xml entity expansion (billion laughs)
SAST reports CWE-776

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Install via CLI
npx skills add https://github.com/DevelopersCoffee/java-cwe-security-skills --skill cwe-776-xml-entity-expansion
Repository Details
star Stars 1
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
DevelopersCoffee
DevelopersCoffee Explore all skills →