Ohb0063F1FF91-48F3-4886-A179-103F1DDD8FF8RCE using bad deserialization
EPSS
Percentile
71.7%
Description
Qwik provides an extended serialization mechanism for exchanging data between the client and server.
This allows for the serialization and deserialization of Date, Regex, Signal, Function and many other useful data types.
The Function deserializer can be accessed using the pureServerFunction feature. This allows us to pass in any Javascript code to be run by node.js.
Proof of Concept
By sending a POST request with a content type of application/qwik-json to /q-data.json we can trigger the vulnerable deserialization.
You can see the full proof of concept here. There is a little bit of finesse required due to the execution environment.
Video here.
References
github.com/BuilderIO/qwik/blob/1cd2bd634f48bf528356ecac3acb74ce5d60c67c/packages/qwik-city/middleware/request-handler/request-event.ts#L211
github.com/BuilderIO/qwik/blob/1cd2bd634f48bf528356ecac3acb74ce5d60c67c/packages/qwik-city/middleware/request-handler/request-event.ts#L278
github.com/BuilderIO/qwik/blob/1cd2bd634f48bf528356ecac3acb74ce5d60c67c/packages/qwik-city/middleware/request-handler/resolve-request-handlers.ts#L168
github.com/BuilderIO/qwik/blob/1cd2bd634f48bf528356ecac3acb74ce5d60c67c/packages/qwik-city/middleware/request-handler/resolve-request-handlers.ts#L249
github.com/BuilderIO/qwik/blob/1cd2bd634f48bf528356ecac3acb74ce5d60c67c/packages/qwik/src/core/container/resume.ts#L55
Related
