Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

ParseThru: HTTP parameter smuggling flaw uncovered in several Go applications

A new vulnerability has been found that could allow an attacker to gain unauthorized access to cloud-based Golang applications.

The use of unsafe URL parsing methods built into the open source cloud-native language would allow a threat actor to bypass validations under certain conditions, according to researchers from Oxeye.

“ParseThru is a parameter smuggling attack, which means that under certain conditions, it lets a threat actor bypass validations based on HTTP request parameters due to the use of unsafe URL parsing,” Oxeye head of research Daniel Abeles told The Daily Swig.

“A successful compromise can result in various outcomes for a potential threat actor, from reading sensitive data and exfiltrating secrets to performing actions on behalf of other users and more.”

Smuggling semicolons

GoLang – or Go – uses the ‘net/url’ library to parse URLs and, prior to version 1.17, would consider semicolons in the query part of the URL as a valid delimiter. With version 1.17, however, semicolons are treated as an error, and one of the methods responsible for getting the parsed query string ignores the error returned.

This means that when a Go-based public API built on version 1.17 or later communicates with an internal service running a prior version, specially crafted requests containing a semicolon in the query string could be smuggled through.

Oxeye researchers found a number of instances in several open source projects that they were successfully able to exploit. These included CNCF-graduated project Harbor, an open source registry that secures artifacts with policies and role-based access control. Here, “an authenticated user (even with the lowest permission level) can issue a special request to read image layers of restricted projects they don’t have access to”.

Other examples included Traefik, a modern HTTP reverse proxy and load balancer designed to simplify deployment of microservices, and Skipper, a HTTP router and reverse proxy for service composition.

And, says Abeles, other programming languages could suffer from similar issues.

“Since ParseThru is a vulnerability mostly based on the usage of unsafe URL parsing methods, it does not directly reflect any challenge specific to Golang but rather a challenge that most programming languages share,” he said.

“Every language has its own implementation of URL parsing. However, they all differ from one another, resulting in parsing gaps that eventually lead to this kind of vulnerability.”

Oxeye said it disclosed its findings to the maintainers of affected projects and helped them remediate the security flaw.

“We now recommend that Golang-based apps in use should be reviewed to ensure the proper patching and/or remediation is applied,” said Ron Vider, CTO and co-founder of Oxeye.

Source: https://portswigger.net/daily-swig/parsethru-http-parameter-smuggling-flaw-uncovered-in-several-go-applications

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO