billion laughs


billion laughs
n.
An online attack that attempts to disable a website by sending a specially formatted sequence of characters such as "lol" and "ha".
Example Citations:
This is called the "Billion Laughs" attack—without going too far into the nuances of XML trickery, you can see that this file has a series of ENTITY entries, each of which references and expands to the ones above it. So the file grows exponentially in memory when it is parsed, consumes CPU cycles, and mushrooms in size to eat up the memory space of its host computer.
Wouter Coekaerts discovered that ejabberd, a distributed XMPP/Jabber server written in Erlang, is vulnerable to the so-called "billion laughs" attack because it does not prevent entity expansion on received data.
—" Debian Security Advisory: DSA-2248-1 ejabberd — denial of service: http://www.debian.org/security/2011/dsa-2248." Debian, March 31, 2011
Earliest Citation:
You can easily construct a few entities that expand to a huge result.
Depending on how your parser returns things, this may use lots of
memory or merely use up lots of cpu time. There is an example at
http://www.cogsci.ed.ac.uk/billion laughsrichard/billion-laughs.xml
I don't recommend loading this file into a browser.
—Richard Tobin, " Re: Malicious XML: http://www.stylusstudio.com/xmldev/200211/post30610.html," XML-DEV, November 5, 2002
Notes:
Two thumbs pointing skyward to Grant Barrett and Paul Ford for uncovering this term.
Related Words: Categories:

New words. 2013.

Look at other dictionaries:

  • XML entity expansion — En informatique, l XML entity expansion ou Billion laughs ou lol flow est une attaque de type déni de service visant les parseurs XML. Cette attaque peut aussi servir de vecteur pour faciliter des attaques par dépassement de tampon Sommaire 1… …   Wikipédia en Français

  • Denial-of-service attack — DoS redirects here. For other uses, see DOS (disambiguation). DDoS Stacheldraht Attack diagram. A denial of service attack (DoS attack) or distributed denial of service attack (DDoS attack) is an attempt to make a computer resource unavailable to …   Wikipedia

  • Zip bomb — A zip bomb, also known as a Zip of Death or decompression bomb, is a malicious archive file designed to crash or render useless the program or system reading it. It is often employed to disable antivirus software, so that a more traditional virus …   Wikipedia

  • DDo$ — n. A scheme where a fine or fee is paid using a massive number of small electronic payments, particularly when each payment generates a transaction cost greater than the payment itself. Example Citations: After the Pirate Bay founders were fined… …   New words

  • Hacking and Hackers — back hacking beehacker billion laughs biohacker bluejacking bot herder chief hacking officer cr …   New words

  • Jargon — billion laughs cruft together fleshmeet flog griefer pessimal sock puppet swivel chair network …   New words

  • Privacy and Security — acoustic snooping billion laughs biometrics bioprivacy black hole bot herder captcha chi …   New words

  • cracker — (KRAK.kur) n. A computer hacker who performs illegal or unethical activities. Example Citation: To computing s elite, the hacker s code might be summarized as, Figure out, look around, leave no trace. Hackers look down on their deliberately… …   New words

  • dark-side hacker — n. A hacker who uses his or her talents for malicious or criminal ends. (Also known as a cracker.) Example Citation: Having a DSL or cable modem service means you have high speed access to the Internet, but there is a downside. Your computer… …   New words

  • distributed denial of service — adj. Relating to a computer attack that hijacks dozens or sometimes hundreds or computers around the Internet and instructs each of them to inundate a target site with meaningless requests for data. Also: DDoS. Example Citation: Yahoo, Buy.com… …   New words