Security News > 2022 > August > New 'ParseThru' Parameter Smuggling Vulnerability Affects Golang-based Applications

Security researchers have discovered a new vulnerability called ParseThru affecting Golang-based applications that could be abused to gain unauthorized access to cloud-based applications.

"The newly discovered vulnerability allows a threat actor to bypass validations under certain conditions, as a result of the use of unsafe URL parsing methods built in the language," Israeli cybersecurity firm Oxeye said in a report shared with The Hacker News.

The issue, at its core, has to do with inconsistencies stemming from changes introduced to Golang's URL parsing logic that's implemented in the "Net/url" library.

While versions of the programming language prior to 1.17 treated semicolons as a valid query delimiter, this behavior has since been modified to throw an error upon finding a query string containing a semicolon.

"Now, settings with non-percent-encoded semicolons are rejected and net/http servers will log a warning to 'Server.ErrorLog' when encountering one in a request URL.".

The problem arises when a Golang-based public API built upon a version greater than 1.17 communicates with an internal service running Golang before 1.17, leading to a scenario where a malicious actor could smuggle requests incorporating query parameters that would otherwise be rejected.

News URL

https://thehackernews.com/2022/08/new-parsethru-parameter-smuggling.html