Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects/follow-redirects
Feb 8th 2022
Reclarification of https://huntr.dev/bounties/6d9fd2bf-39e4-4291-b228-30f131b9ccdc/
The Authorization header leaks from same hostname https-http redirect. If https://example.com redirects to http://example.com, then an attacker who can listen in on the wire (or perform a MITM attack) will be able to receive the Authorization header due to the use of the insecure HTTP protocol which does not verify the hostname the request is sending to. The attacker does NOT need to control example.com. they only need to able simply listen in on the wire (ability to perform MITM attack). A similar vulnerability for PSF's (Python Software Foundation) requests module was filed in CVE-2018-18074
If the attacker can intercept the HTTP request (perform MiTM attack) and https://example.com redirects to http://example.com, they may be able to leak the Authorization header during a same hostname HTTPS-HTTP redirection. They do NOT need to control the hostname.
Implement same schema check (at least prevent leaking authorization header in HTTPS-HTTP redirection).