Improper Control of a Resource Through its Lifetime in the input field "Bookmark Tabs" in causefx/organizr
May 13th 2022
The Organizr application allows large characters to insert in the input field "Bookmark Tabs" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
Proof of Concept
1.Login to the application
2.Go to "Tab Editor" -> "Bookmark Tabs".
3.Click on the + button fill in all details and capture the request in burp suites, and send it to Repeater.
4.Now copy the payload from this link:- https://drive.google.com/file/d/11AwLp8Ae1_eJqGb44W9QJDtPmVw-1RSQ/view?usp=sharing and paste after the parameter name= and click on go.
5.You will see application accepts 1,000,000 characters.
This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.