We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Authentication Bypass by Primary Weakness in ionicabizau/parse-url

Valid

Reported on

Jan 10th 2022

Description

urldomain validation bypass

Proof of Concept

parse-url not able verify urldomain properly when basic authentication is given .This allow to bypass hostname validation . Lets username is admin and password is password123@ and hostname is 127.0.0.1 . so the url will be http://admin:password123@@127.0.0.1 . And there is blacklist check for domain 127.0.0.1 and every request to 127.0.0.1 will be blocked .\

Now lets use parse-url

// PoC.js
parseUrl("http://admin:password123@@127.0.0.1/xxxx")

result

{ protocols: [ 'http' ],
  protocol: 'http',
  port: null,
  resource: 'admin',
  user: '',
  pathname: '/password123@@127.0.0.1/xxx',
  hash: '',
  search: '',
  href: 'http://admin:password123@@127.0.0.1/xxx',
  query: {} }

So, here see resource var not able to properly detect the urldomain 127.0.0.1 which allow bypass domain verifiaction.
Here resource is selected as admin and also pathname is not able to detect properly . If there is pathname validation present like blackilist for path /xxx then it will bypass here as here returned pathname is /password123@@127.0.0.1/xxx .

I see all other nodejs url parse like nodejs default url parser able to detect this properly but parse-url is vulnerable here .

Impact

This vulnerability is capable of...

We are processing your report and will contact the ionicabizau/parse-url team within 24 hours. 2 years ago
We have contacted a member of the ionicabizau/parse-url team and are waiting to hear back 2 years ago
We have sent a follow up to the ionicabizau/parse-url team. We will try again in 7 days. 2 years ago
Ionică Bizău (Johnny B.) validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the ionicabizau/parse-url team. We will try again in 7 days. 2 years ago
We have sent a second fix follow up to the ionicabizau/parse-url team. We will try again in 10 days. 2 years ago
We have sent a third and final fix follow up to the ionicabizau/parse-url team. This report is now considered stale. a year ago
Ionică Bizău (Johnny B.) marked this as fixed in 7.0.0 with commit 21c72a a year ago
Ionică Bizău (Johnny B.) has been awarded the fix bounty
This vulnerability will not receive a CVE
index.js#L35-L49 has been validated
to join this conversation