Authentication Bypass by Primary Weakness in ionicabizau/parse-url

Valid

Reported on

Jan 10th 2022


Description

urldomain validation bypass

Proof of Concept

parse-url not able verify urldomain properly when basic authentication is given .This allow to bypass hostname validation . Lets username is admin and password is password123@ and hostname is 127.0.0.1 . so the url will be http://admin:password123@@127.0.0.1 . And there is blacklist check for domain 127.0.0.1 and every request to 127.0.0.1 will be blocked .\

Now lets use parse-url

// PoC.js
parseUrl("http://admin:password123@@127.0.0.1/xxxx")

result

{ protocols: [ 'http' ],
  protocol: 'http',
  port: null,
  resource: 'admin',
  user: '',
  pathname: '/password123@@127.0.0.1/xxx',
  hash: '',
  search: '',
  href: 'http://admin:password123@@127.0.0.1/xxx',
  query: {} }

So, here see resource var not able to properly detect the urldomain 127.0.0.1 which allow bypass domain verifiaction.
Here resource is selected as admin and also pathname is not able to detect properly . If there is pathname validation present like blackilist for path /xxx then it will bypass here as here returned pathname is /password123@@127.0.0.1/xxx .

I see all other nodejs url parse like nodejs default url parser able to detect this properly but parse-url is vulnerable here .

Impact

This vulnerability is capable of...

We are processing your report and will contact the ionicabizau/parse-url team within 24 hours. 7 months ago
We have contacted a member of the ionicabizau/parse-url team and are waiting to hear back 7 months ago
We have sent a follow up to the ionicabizau/parse-url team. We will try again in 7 days. 7 months ago
Ionică Bizău (Johnny B.) validated this vulnerability 7 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the ionicabizau/parse-url team. We will try again in 7 days. 5 months ago
We have sent a second fix follow up to the ionicabizau/parse-url team. We will try again in 10 days. 5 months ago
We have sent a third and final fix follow up to the ionicabizau/parse-url team. This report is now considered stale. 4 months ago
Ionică Bizău (Johnny B.) confirmed that a fix has been merged on 21c72a 2 months ago
Ionică Bizău (Johnny B.) has been awarded the fix bounty
index.js#L35-L49 has been validated
to join this conversation