[Weekly Challenge] Sabar

Points: 4
Author: dwisiswant0

Description

“Kesabaran bukan hanya kemampuan untuk menunggu, melainkan bagaimana kita bersikap saat menunggu.” - Joyce Meyer

Hints

-

Steps to Resolve

With a simple entry point code, to print cs.flag (which is set to the constant o), the value of (new Date).getTime() minus the constant n (when it was initialized) needs to be at least 5 (milliseconds). Between these times, there’s the initialization of the constant o and a call to the test() method of RegExp instances (re). Looking at the pattern, it’s vulnerable to Regular Expression Denial-of-Service (ReDoS) because it has nested quantifiers ([\w-]+)*. This group matches zero or more alphanumeric chars, underscores, or hyphens, and the * quantifier is especially problematic because it allows for zero or more matches. When combined with other quantifiers, it can cause the regex engine to enter catastrophic backtracking.

Here is a visualization of the pattern to show you better: https://regexper.com/#%2F%5Ehttps%3F%3A%5C%2F%5C%2F%28www%5C.%29%3F%28%5Ba-z0-9-%5D%2B%29%5C.%5Ba-z%5D%7B2%2C%7D%5C%2F%28%5B%5Cw-%5D%2B%29*%24%2F.

So, all we need to do is input a string with repeated sequences of characters that match group #3 to slow things down.

$ /path/to/sabar <<< 'http://x.com/aaaaaaaaaaaaaaaa/'
 ________________________________________
/ "Kesabaran bukan hanya kemampuan untuk \
| menunggu, melainkan bagaimana kita     |
| bersikap saat menunggu."               |
|                                        |
\ - Joyce Meyer                          /
 ----------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Masukin URLnya: http://x.com/aaaaaaaaaaaaaaaa/
nyoh flag'e: 0rang$abar-DiShayank_AllahS.W.T