What is XML Bomb?
An XML bomb is a piece of XML code that is syntactically valid and correct, but which can cause a program that compiles or executes it to crash or hang. An XML bomb can be used to test the security level of a server. In HTML code, XML code is either parsed internally or referenced as an external file that is sent to a server. Typically, it would be expected that a normal server without adequate protection would crash with this attack.
An XML bomb is a small but dangerous piece of code that is written and sent to crash the target server or program that is trying to read and decrypt it. When an XML parser tries to process an XML bomb, the nested data units begin to grow exponentially. This can cause a server or ISP to shut down, making it vulnerable to unauthorized access by hackers, which can lead to serious privacy threats. An XML bomb takes advantage of three properties of XML, entity substitution, nested entities, and inline DTDs, to cause a 'data explosion', hence the 'bomb' in its name.