By Fernando Arnaboldi
Recursion is the process of repeating items in a self-similar way, and that’s what the XML Entity Expansion (XEE) is about: a small string is referenced a huge number of times.
Technology standards sometimes include features that affect the security of applications. Amit Klein found in 2002 that XML entities could be used to make parsers consume an unlimited amount of resources and then crash, which is called a billion laughs attack. When the XML parser tries to resolve, the external entities that are included cause the application to start consuming all the available memory until the process crashes.