Insufficiently complex hash function used in `useFetch` means return data cannot be trusted in nuxt/framework
Jul 5th 2022
useFetch function uses the
ohash library to key requests. This hash function outputs a 32 bit number. Finding a collision for this function is easy.
In a situation where useFetch is called more than once, any call after the first that contains untrusted input into any argument is vulnerable.
Propose the following situation:
- The username is loaded from the API using useFetch
- HTML to be reflected onto the page is requested using useFetch, a user controlled header
langis passed in the options.
An attacker can do the following:
- Calculate the hash value of the first API call
- Find a value for
hash(username request) = hash(html request)
- Change their username to a HTML payload
- Attackier triggers the request with the value for
langthat causes the collision.
While this scenario would only trigger self XSS, you can imagine how this could cause a variety of issues, from RCE to XSS, due to the fact that this possibility is not documented, and part of this handling occurs on the server side.
Proof of Concept
?motd=1 to the url, then add
?motd=y8jZ4OYVgtb4t4CrbwSOz5ZoklNMFOAxPR6lchnFmKU= to the url.
In this example the
motd can be replaced with the user's name. While the MOTD was trusted data, the username could be any value provided by the user.
This collision took around 15 minutes to find.
It's entirely dependant on how the data from useFetch is used. Any subsequent action that is used under the impression that the data is trusted can potentially be exploited.
I'd imagine the most likely issue to occur would be XSS, I was not able to find any examples of this issue occurring within open source projects so I'm unable to provide a better answer.