Dangerous security bugs stemming from widespread inconsistencies among 16 popular third-party URL-parsing libraries could affect a wide swath of web applications. Eight different security vulnerabilities could allow denial-of-service (DoS) conditions, information leaks and remote code execution (RCE) in various web applications, according to researchers.
The bugs were found in third-party web packages written for various languages, and, like Log4Shell and other software-supply chain threats, could have been imported to hundreds or thousands of different web apps and projects. Among those afflicted are Flask, Video.js, Belledonne, Nagios XI and Clearance.
URL parsing is the process of breaking down a web address into its underlying components, in order to correctly route traffic across different links or into different servers. URL parsing libraries, which are available for various programming languages, are usually imported into applications in order to fulfil this function.
Researchers explained: “URLs are actually built from five different components: scheme, authority, path, query and a fragment. Each component fulfills a different role, be it dictating the protocol for the request, the host which holds the resource, which exact resource should be fetched and more.”
According to a combined analysis, security holes crop up thanks to differences in the way each library goes about its parsing activities. Across the 16 libraries, researchers identified five categories of inconsistencies in how these libraries parse components:
- Scheme Confusion: A confusion involving URLs with missing or malformed Scheme
- Slash Confusion: A confusion involving URLs containing an irregular number of slashes
- Backslash Confusion: A confusion involving URLs containing backslashes (\)
- URL Encoded Data Confusion: A confusion involving URLs containing URL Encoded data
- Scheme Mix-ups: A confusion involving parsing a URL belonging to a certain scheme without a scheme-specific parser
The problem is that these inconsistencies can create vulnerable code blocks, thanks to two main web-app development issues:
- Multiple Parsers in Use: Whether by design or an oversight, developers sometimes use more than one URL parsing library in projects. Because some libraries may parse the same URL differently, vulnerabilities could be introduced into the code.
- Specification Incompatibility: Different parsing libraries are written according to different web standards or URL specifications, which creates inconsistencies by design. This also leads to vulnerabilities because developers may not be familiar with the differences between URL specifications and their implications.
As an example of a real-world attack scenario, slash confusion could lead to server-side request forgery (SSRF) bugs, which could be used to achieve RCE. Researchers explained that different libraries handle URLs with more than the usual number of slashes (https:///www.google.com, for instance) in different ways. Some of them ignore the extra slash, while others interpret the URL as having no host.
In the case of the former, accepting malformed URLs with an incorrect number of slashes can lead to SSRF. URL confusion is also responsible for the Log4Shell patch bypass, because two different URL parsers were used inside the JNDI lookup process. One parser was used for validating the URL, and another for fetching it.
Open-redirect vulnerabilities are popular for exploitation because they enable spoofing, phishing and man-in-the-middle attacks (MITM). They occur when a web application accepts a user-controlled input which specifies a URL that the user will be redirected to after a certain action. When a user logs into a website, for example, they could be redirected to a malicious lookalike site.
Neuways advises users to be wary of any applications they use. Through ensuring they are updated with the most recent security patches, then issues such as those dictated above can be avoided.