Security News > 2022 > January > Researchers Find Bugs in Over A Dozen Widely Used URL Parser Libraries
"The confusion in URL parsing can cause unexpected behavior in the software, and could be exploited by threat actors to cause denial-of-service conditions, information leaks, or possibly conduct remote code execution attacks," the researchers said in a report shared with The Hacker News.
With URLs being a fundamental mechanism by which resources - located either locally or on the web - can be requested and retrieved, differences in how the parsing libraries interpret a URL request could pose significant risk for users.
"This bypass stems from the fact that two different URL parsers were used inside the JNDI lookup process, one parser for validating the URL, and another for fetching it, and depending on how each parser treats the Fragment portion of the URL, the Authority changes too," the researchers said.
The use of multiple parsers emerged as one of the two primary reasons why the eight vulnerabilities were discovered, the other being issues arising from inconsistencies when the libraries follow different URL specifications, effectively introducing an exploitable loophole.
The dissonance ranges from confusion involving URLs containing backslashes, irregular number of slashes, or URL encoded data to URLs with missing URL scheme, which could be exploited to gain remote code execution or even stage denial-or-service and open-redirect phishing attacks.
To protect applications from URL parsing vulnerabilities, "It is necessary to fully understand which parsers are involved in the whole process [and] the differences between parsers, be it their leniency, how they interpret different malformed URLs, and what types of URLs they support."
News URL
https://thehackernews.com/2022/01/researchers-find-bugs-in-over-dozen.html