Shiny Vulnerabilities in R's Most Popular Web Framework / nastystereo.com

submited by
Style Pass
2024-12-02 16:00:01

This post shares two of my findings from a quick look at Shiny, the most popular web framework for use with the R programming language.

Shiny applications primarily communicate dynamic data via a WebSocket accessible at the path /websocket. The code responsible for parsing attacker controlled data received over the WebSocket was found within the decodeMessage function in side R/server.R. The function reads an integer length value, but disregards the possibility of a negative value.

The first adjustment of the variable i is an increase of 4, so by specifying a length of -4, which is used for the second adjustment, the value of i effectively never increases, resulting in an infinite loop.

To test if your application is vulnerable, the following client-side JavaScript can be executed. If vulnerable, CPU usage of the R process should stay at 100% and memory usage will steadily climb.

Within the sessionHandler function defined in the file R/middleware-shiny.R I found that session tokens are accepted as part of the URL

Leave a Comment
Related Posts