Thirdparty site authorization header leak in sparklemotion/mechanize
Apr 28th 2022
mechanize library is used to manipulate the URL of web pages and crawl the contents of web pages. mechanize does not filter the request header after redirecting. It will also transfer the authentication and cookie request header of the first request to the service after redirecting, resulting in the disclosure of authentication and cookie request header. An attacker can use this vulnerability to passively steal the user's authentication and cookie data.
mechanize does not remove headers 'Authorization' and 'Cookie' when transmitting across different ports on the same host
Proof of Concept
it will request B with Authorization/Cookie header when received a 302 redirect from A.
// PoC.js require 'rubygems' require 'mechanize' agent = Mechanize.new cookie = Mechanize::Cookie.new("JSESSIONID", "BA58528B76124698AD033EE6DF12B986") cookie.domain = "localhost" cookie.path = "/" agent.cookie_jar.add!(cookie) page = agent.get('http://A:3399/auth')
unauthorized interception and/or retrieval.