Our third example vulnerability is with the msnpm package. This is a module that allows easy conversion of various time formats into milliseconds. The issue here is that we are using [email protected] and this has a Regular Expression Denial of Service (ReDos) vulnerability.
What this package allows us to do is to take a string input and parse into milliseconds which our application will then use to send a reminder. For example:
To demonstrate this vulnerability, we will move to the terminal. Let's run the following command against our application:
echo 'content=Reboot server in 20 minutes' | http --form $GOOF_HOST/create -v
�The result will be console output similar to this:
Now we will take the previous command but print the digit 5 a total of 60,000 times. This regular expression will take a non-linear amount of time to process an input. The longer the input, the longer the processing time. Let's run the following command
echo'content=Reboot server in '\`printf"%.0s5"{1..60000}\`' minutes'| http --form $GOOF_HOST/create -v
The result here was surprisingly fast. However, what happens when the regular expression does not match? To illustrate this, let's take the same command and swap the s in minutes for an a instead. Type the following command:
echo'content=Reboot server in '\`printf"%.0s5"{1..60000}\`' minutea'| http --form $GOOF_HOST/create -v
This command will take a while to process and result in a non-responsive application. If you try to add or remove tasks the application will not respond and you have blocked legitimate requests from processing.