๐ CS Money: ReDoS at wiki.cs.money graphQL endpoint (AND probably a kind of command injection)
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
Summary: The endpoint /graphql has a vulnerable query operation named "search", that can I send a Regex malformed parameter, in order to trick the original regular expression to a regex bomb expression. Payload with a "common" search, querying the value "AAA": ``` query a { search(q: "AAA", lang: "en") { _id weapon_id rarity collection{ _id name } collection_id } } ``` Response: { "data": { "search": [ { "_id": "sticker-baaa-ckstabber", "weapon_id": null, "rarity": "High Grade", "collection": null, "collection_id": null }, { "_id": "sticker-ork-waaagh", "weapon_id": null, "rarity": "High Grade", "collection": null, "collection_id": null } ] }, "extensions": { "tracing": { "version": 1, "startTime": "2020-10-07T02:07:55.251Z", "endTime": "2020-10-07T02:07:55.516Z", "duration": 264270190, "execution": { "resolvers": [ { "path": [ "search" ],...[Resumed for convenience] ] } } } } Pay attention in this part of JSON response: "startTime": "2020-10-07T02:07:55.251Z", "endTime": "2020-10-07T02:07:55.516Z", It's about a instantaneously response time. Ok, now we're ready to play with this... You can reveal the bug inserting "\u0000" on "q" parameter, in order to display an error with part of the graph query. Payload A (see... ...