ParseThru: HTTP Parameter Smuggling Flaw Discovered in Multiple Go Apps

Emma Woollacott Aug 04, 2022 at 10:55 AM UTC

Updated: August 05, 2022 at 15:05 UTC

Harbor, Traefik and Skipper projects tackle insecure URL scanning methods

A new vulnerability has been discovered that could allow an attacker to gain unauthorized access to cloud-based Golang applications.

Using insecure URL parsing methods built into the open source cloud native language would allow a malicious actor to bypass validations under certain conditions, according to Oxeye researchers.

“ParseThru is a parameter smuggling attack, which means that under certain conditions, it allows a malicious actor to bypass validations based on HTTP request parameters due to the use of insecure URL parsing “, said Daniel Abeles, head of research at Oxeye. The daily sip.

“A successful compromise can result in a variety of outcomes for a potential threat actor, from reading sensitive data and exfiltrating secrets to performing actions on behalf of other users and more.”

contraband semicolons

GoLang – or Go – uses the ‘net/url’ library to parse URLs and prior to version 1.17 considered semicolons in the query part of the URL as a valid delimiter. With version 1.17, however, semicolons are treated as an error and one of the methods responsible for getting the parsed query string ignores the returned error.

This means that when a public Go-based API built on version 1.17 or later communicates with an internal service running an earlier version, specially crafted requests containing a semicolon in the query string can be smuggled.

Learn about the latest open source software security news

Oxeye researchers found a number of examples in several open source projects that they were able to exploit successfully. These included the CNCF-graduated Harbor Project, an open-source registry that secures artifacts with policies and role-based access control. Here, “an authenticated user (even with the lowest level of permissions) can issue a special request to read the imagery layers of restricted projects to which he does not have access”.

Other examples include Traefik, a modern HTTP reverse proxy and load balancer designed to simplify microservices deployment, and Skipper, an HTTP router and reverse proxy for service composition.

And, says Abeles, other programming languages ​​could suffer from similar problems.

“Because ParseThru is a vulnerability primarily based on the use of insecure URL parsing methods, it does not directly reflect a Golang-specific challenge, but rather a challenge shared by most programming languages,” did he declare.

“Each language has its own implementation of URL parsing. However, they all differ from each other, resulting in parsing shortcomings that ultimately lead to this type of vulnerability.

Oxeye said it disclosed its findings to those responsible for the affected projects and helped them fix the security flaw.

“We now recommend that Golang-based apps in use be reviewed to ensure the appropriate patch and/or fix is ​​applied,” said Ron Vider, CTO and co-founder of Oxeye.

YOU MIGHT ALSO LIKE Jenkins security: unfixed XSS and CSRF bugs included in latest plugin advisory

Comments are closed.