Several hours ago, security researcher Nir Goldshlager revealed a new crucial vulnerability that allows offenders to launch a very effective denial of service attack, through a process that circumvents existing security measures.

The exploit in question is a variant of a XML-RPC Entity Expansion (XEE) method, best described as a more effective version of the ‘Billions Laugh‘ attack.

The vulnerability exists in all WordPress and Drupal versions, affecting over 250 million websites, roughly 23% of the Internet website population today.

Fixing the Vulnerability

The security team at Incapsula issued an emergency patch, which was deployed across the entire Incapsula network, preventing this vulnerability from affecting any of our WAF-protected clients.

The patch leverages the Incapsulate system’s ability to parse incoming XML messages and implement security logic based on their individual content.

All other WordPress and Drupal website operators are advised to apply the latest security updates, released today by both teams, who joined forces in creating a fix for this exploit.

Having tested the attack method, and witnessing the amount of grief it can cause, we strongly urge to apply these patches as soon as possible.

Patches are available here:

Attack Methodology

XML-RPC is a popular Internet protocol used for cross-platform communication. Both WordPress and Drupal include XML-RPC in their core build, using it to execute remote API calls.

The vulnerability exploits a loophole in XML-RPC parsing, using a method known as ‘entity expansion’ to initiate amplified processing tasks. Together, these tasks can easily deplete large amounts of CPU and memory resources, resulting in latency and server downtime.

As demonstrated by the POC script below, the attack relies on repeated calls to a large ‘payload’ entity, which length can measure tens of thousands of characters. Using multiple calls, nested in a single XML document, an offender can deplete hundreds of Megabytes of memory at a time.

<?xml version="1.0" encoding="iso-8859-1"?><
!DOCTYPE KillWP [
<!ENTITY bomb "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa… 
(assume string length of several tens of thousands chars)"
>]>
<methodCall>
 <methodName>
  aaa&bomb;&bomb;&bomb;&bomb;&bomb;&bomb;&bomb;&bomb;
  &bomb;&bomb;&bomb;&bomb;&bomb;&bomb;&bomb;&bomb; 
  (repeat as necessary) 
 </methodName>
 <params>
  <param><value>aa</value></param>
  <param><value>aa</value></param>
 </params>
</methodCall>

With the Apache server’s default memory allocation set to 128MB per process (for a maximum of 151 allowed WP/Drupal connections), an offender can use this method to deplete up to 19GB of memory.

Simply put, with a single device and a few hundred HTTP requests, an offender can bring down the most resilient of servers.

As mentioned, the attack is similar to the Billion Laughs exploit. However, unlike ‘Billion Laughs’, this exploit doesn’t rely on recursion, which allows it to avoid existing countermeasures, used by XML parsers against heavily nested entities.

Combined with the extremely large pool of targets and the high damage potential, this makes the exploit a triple threat — widespread, crippling and hard to weed out.


Would you like to write for our blog? We welcome stories from our readers, customers and partners. Please send us your ideas: blog@incapsula.com