Open xen00rw opened 10 months ago
Hi
When you tried using RegEx did you try this kind of option, to look for mysearchstring appearing 3 or more times?
if {latest.response} matches "(.mysearchstring.){3,}" then
Would this help in your scenario?
Yeah! I have tried exactly that, and didn't work.
Even if the response had 6 exactly matches
My RegEx was:
...
if {array_based.response.body} matches "(?i)(\"data\"){6,}" then
report issue:
severity: medium
confidence: firm
detail: "Some detail."
remediation: "Some remediation."
end if
But it didn't work
I've just been having a check back through this and I think we have a very slight difference in our RegEx. In your BCheck, can you give this a try?
"(?i)(.*data.*){6,}"
Hey Michelle
Well... I've tried this, and still not working, let me send you the full bcheck, see if heps:
metadata:
language: v1-beta
name: "[Active Check] POST GraphQL ArrayBased Queries"
description: "Looks on GraphQL requests and try to run an ArrayBased Query."
tags: "active", "entry-point"
author: "xen00rw"
given request then
if ("application/json" in {latest.request.headers} and {latest.request.method} is "POST") then
send request called array_based:
replacing body: `[{latest.request.body},{latest.request.body},{latest.request.body},{latest.request.body},{latest.request.body},{latest.request.body}]`
if {array_based.response.body} matches "(?i)(\"data\"){1,6}" then
report issue:
severity: medium
confidence: tentative
detail: "It is an misconfiguration where the GraphQL API let the user run multiple queries inside an array ([]) in a single HTTP Request. This is not properly an vulnerability depending on the case, but it can be fully exploited in order to bypass rate limits and more. This can be kinda dangerous if you run multiple requests with multiple queries inside it, turns out it can become an Denial of Service (DoS)."
remediation: "It's important to limit the quantity of queries done in a single request, guarantee that the body of the request is just one query, and not more than that. #https://www.acunetix.com/vulnerabilities/web/graphql-array-based-query-batching-allowed-potential-batching-attack-vulnerability/"
end if
end if
Hi
Sorry, the formatting on my previous comment didn't come out quite right.
Where you have
if {array_based.response.body} matches "(?i)(\"data\"){1,6}" then
Can you change it to
if {array_based.response.body} matches "(?i)(.*data.*){1,6}" then
and let me know how you get on?
Yeah it matches, it's the one that I'm currently using until I don't find a solution.
But I would like to match just if there are 6 exactly results.
We already tried these below, do you have some more tips/idea?
(?i)(.*data.*){6,}
(?i)(.data.){6,}
(?i)(\"data\"){6,}
Sorry, I thought you were looking for x or more occurrences rather than a specific number of occurrences.
Leave it with us, and we'll take another look.
Perfect!
Thanks alot for your help! :)
If I see some workaround, I'll let you know too
I don't yet have a RegEx which is finding a specific number of occurrences of a set string.
When you've been testing this yourself, have you just been testing the RegEx within the BCheck? Have you tested them successfully outside of the BCheck, maybe using an online checker?
I have tried some cases outside Burp, but didn't work too.
Also using Burp Search. That's why I came here to suggest an possible feature of comparison.
For example this snippet in Python:
...
text = "This is a sample text with sample string occurrences. Another sample string."
string_to_match = "sample"
matches = re.findall(string_to_match, text)
if len(matches) == 6:
...
P.S.: That doesn't stop Bcheck from already being awesome! hehehe
Can you help us gather more details about your use case, to make sure I capture everything?
Hey Michelle, sorry for the latency to response.
I will send you guys an e-mail with more details. Thanks alot!
No worries :) We've got your email, we'll be in touch soon.
Hello there guys!
I was creating some Bchecks yesterday and I missed some comparison operators.
I noticed this case while creating GraphQL Alias/Array-based Queries Bchecks where I tried to report an issue just if the result contained more than X occurences of a string.
Tried using RegEx but not working properly.
Am I missing something? If not, it would be a very nice feature :)
Thought about something like: