Allocation of Resources Without Limits in "Bookmark Categories" in causefx/organizr
May 11th 2022
The Organizr application allows large characters to insert in the input field "Bookmark Categories" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
Proof of Concept
1.Login to the application
2.Go to "Tab Editor" -> "Categories" -> "Bookmark Categories".
3.Click on the + button fill in all details and capture the request in burp suites, and send it to Repeater.
4.Now copy the payload from this link:- https://drive.google.com/file/d/11AwLp8Ae1_eJqGb44W9QJDtPmVw-1RSQ/view?usp=sharing and paste after the parameter category= and click on go.
5.You will see application accepts 1,000,000 characters.
This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.