Suggestion (Comparison Operators)

[xen00rw]

Hello there guys!

I was creating some Bchecks yesterday and I missed some comparison operators.

I noticed this case while creating GraphQL Alias/Array-based Queries Bchecks where I tried to report an issue just if the result contained more than X occurences of a string.

Tried using RegEx but not working properly.

Am I missing something? If not, it would be a very nice feature :)

Thought about something like:

metadata:
  language: v1-beta
  name: "Some name"
  description: "Some description."
  tags: "tags"
  author: "someone"

given response then
  if ("string" matches > 5 times in {latest.response.body}) then
    report issue:
      severity: low
      confidence: tentative
      detail: "Some detail."
      remediation: "Some remediation."
  end if

[Michelle-PortSwigger]

Hi

When you tried using RegEx did you try this kind of option, to look for mysearchstring appearing 3 or more times?

if {latest.response} matches "(.mysearchstring.){3,}" then

Would this help in your scenario?

[xen00rw]

Yeah! I have tried exactly that, and didn't work.

Even if the response had 6 exactly matches

My RegEx was:

...
    if {array_based.response.body} matches "(?i)(\"data\"){6,}" then
      report issue:
        severity: medium
        confidence: firm
        detail: "Some detail."
        remediation: "Some remediation."
    end if

But it didn't work

[Michelle-PortSwigger]

I've just been having a check back through this and I think we have a very slight difference in our RegEx. In your BCheck, can you give this a try?
"(?i)(.*data.*){6,}"

[xen00rw]

Hey Michelle

Well... I've tried this, and still not working, let me send you the full bcheck, see if heps:

metadata:
  language: v1-beta
  name: "[Active Check] POST GraphQL ArrayBased Queries"
  description: "Looks on GraphQL requests and try to run an ArrayBased Query."
  tags: "active", "entry-point"
  author: "xen00rw"

given request then
  if ("application/json" in {latest.request.headers} and {latest.request.method} is "POST") then
    send request called array_based:
      replacing body: `[{latest.request.body},{latest.request.body},{latest.request.body},{latest.request.body},{latest.request.body},{latest.request.body}]`

    if {array_based.response.body} matches "(?i)(\"data\"){1,6}" then
      report issue:
        severity: medium
        confidence: tentative
        detail: "It is an misconfiguration where the GraphQL API let the user run multiple queries inside an array ([]) in a single HTTP Request. This is not properly an vulnerability depending on the case, but it can be fully exploited in order to bypass rate limits and more. This can be kinda dangerous if you run multiple requests with multiple queries inside it, turns out it can become an Denial of Service (DoS)."
        remediation: "It's important to limit the quantity of queries done in a single request, guarantee that the body of the request is just one query, and not more than that. #https://www.acunetix.com/vulnerabilities/web/graphql-array-based-query-batching-allowed-potential-batching-attack-vulnerability/"
    end if
  end if

[Michelle-PortSwigger]

Hi

Sorry, the formatting on my previous comment didn't come out quite right.

Where you have
if {array_based.response.body} matches "(?i)(\"data\"){1,6}" then

Can you change it to
if {array_based.response.body} matches "(?i)(.*data.*){1,6}" then

and let me know how you get on?

[xen00rw]

Yeah it matches, it's the one that I'm currently using until I don't find a solution.

But I would like to match just if there are 6 exactly results.

We already tried these below, do you have some more tips/idea?

(?i)(.*data.*){6,}
(?i)(.data.){6,}
(?i)(\"data\"){6,}

[Michelle-PortSwigger]

Sorry, I thought you were looking for x or more occurrences rather than a specific number of occurrences.

Leave it with us, and we'll take another look.

[xen00rw]

Perfect!

Thanks alot for your help! :)

If I see some workaround, I'll let you know too

[Michelle-PortSwigger]

I don't yet have a RegEx which is finding a specific number of occurrences of a set string.

When you've been testing this yourself, have you just been testing the RegEx within the BCheck? Have you tested them successfully outside of the BCheck, maybe using an online checker?

[xen00rw]

I have tried some cases outside Burp, but didn't work too.

Also using Burp Search. That's why I came here to suggest an possible feature of comparison.

For example this snippet in Python:

...
text = "This is a sample text with sample string occurrences. Another sample string."
string_to_match = "sample"
matches = re.findall(string_to_match, text)
if len(matches) == 6:
...

P.S.: That doesn't stop Bcheck from already being awesome! hehehe

[Michelle-PortSwigger]

Can you help us gather more details about your use case, to make sure I capture everything?

• How often do you think you would need to use this feature? Do you have any more detailed scenarios you'd be happy to share with us? If you'd rather share these with us directly feel free to send them to [email protected]
• Would exact number of matches, less than/greater than a certain number of matches, less than or equal to/greater than or equal to a certain number of matches, cover all your scenarios?
• Would you mainly be using this match in the response body or do you have other use cases?

[xen00rw]

Hey Michelle, sorry for the latency to response.

I will send you guys an e-mail with more details. Thanks alot!

[Michelle-PortSwigger]

No worries :)
We've got your email, we'll be in touch soon.