Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Header injection and path forgery [security issue] #511

Closed
n0npax opened this issue Dec 23, 2020 · 1 comment
Closed

Header injection and path forgery [security issue] #511

n0npax opened this issue Dec 23, 2020 · 1 comment

Comments

@n0npax
Copy link
Contributor

n0npax commented Dec 23, 2020

I believe there is a security issue with the current implementation of Request.

The full example can be found here

What's wrong:

Request is passing method verb as is to the stream without any kind of validation.
basically:

  var r = Request(
      "GET http://example.com/ HTTP/1.1\r\nHost: example.com\r\nLLAMA:",
      Uri(scheme: "http", path: "/llama", host: "localhost"));
  var rs = await r.send();

generates request like:

sudo nc -l 127.0.0.1 80 
GET HTTP://EXAMPLE.COM/ HTTP/1.1
HOST: EXAMPLE.COM
LLAMA: /llama HTTP/1.1
user-agent: Dart/2.10 (dart:io)
accept-encoding: gzip
content-length: 0
host: localhost

What I'd expect

If HTTP verb(method) is not a part of the known set of verbs (GET/PUT/HEAD/...) I'd expect an exception to be thrown

Why this is a security risk

If the developer is using Request to abstract generating HTTP calls and he's accepting a method param from the user, the user can do some magic like header injection or path forgery.
This can be exploited in many ways and seems to be quite important especially in case there is a reverse proxy is in place. A proxy may just pass someone's request to any host.
By running snippet behind a proxy, I was nicely redirected(like this) to example.com which was injected as per the example above.
Let's assume I'm replacing example.com with my-hackery-uservice.org and the victim is working in a company behind the proxy. This means I can redirect calls with headers/cookies(tokens) and blah blah blah.

@n0npax
Copy link
Contributor Author

n0npax commented Jan 2, 2021

StreamedRequest is also affected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant