Qwik provides an extended serialization mechanism for exchanging data between the client and server.
This allows for the serialization and deserialization of Date
, Regex
, Signal
, Function
and many other useful data types.
The Function
deserializer can be accessed using the pureServerFunction
feature. This allows us to pass in any Javascript code to be run by node.js.
By sending a POST
request with a content type of application/qwik-json
to /q-data.json
we can trigger the vulnerable deserialization.
You can see the full proof of concept here. There is a little bit of finesse required due to the execution environment.
Video here.
github.com/BuilderIO/qwik/blob/1cd2bd634f48bf528356ecac3acb74ce5d60c67c/packages/qwik-city/middleware/request-handler/request-event.ts#L211
github.com/BuilderIO/qwik/blob/1cd2bd634f48bf528356ecac3acb74ce5d60c67c/packages/qwik-city/middleware/request-handler/request-event.ts#L278
github.com/BuilderIO/qwik/blob/1cd2bd634f48bf528356ecac3acb74ce5d60c67c/packages/qwik-city/middleware/request-handler/resolve-request-handlers.ts#L168
github.com/BuilderIO/qwik/blob/1cd2bd634f48bf528356ecac3acb74ce5d60c67c/packages/qwik-city/middleware/request-handler/resolve-request-handlers.ts#L249
github.com/BuilderIO/qwik/blob/1cd2bd634f48bf528356ecac3acb74ce5d60c67c/packages/qwik/src/core/container/resume.ts#L55