Recommended reading: , the default behavior is to trust any valid XML signature generated using a valid X.509 certificate trusted by your system’s CA store.The results of an attack on a vulnerable XML library can be fairly dramatic.
The original example uses 9 levels of 10 expansions in each level to expand the string to a string of 3 * 10 ^9^ bytes, hence the name "billion laughs".
Three versions of the standard exist (Version 1 “Second Edition”, Version 1.1, and Version 2.0).
See what is signed It is important to understand and follow the best practice rule of “See what is signed” when verifying XML signatures.
The attack isn't as efficient as the exponential case but it avoids triggering countermeasures of parsers against heavily nested entities.
Some parsers limit the depth and breadth of a single entity but not the total amount of expanded text throughout an entire XML document.
The gist of this rule is: if your application neglects to verify that the information it trusts is what was actually signed, the attacker can supply a valid signature but point you to malicious data that wasn’t signed by that signature.