[whatwg/url] HISTORY: URL Parsing Differences Between Implementations Security Issues (Issue #766)

The goal of this thread is to capture, in a single location, all cases of where URL parsing due to differences in parsing has led to a security issue.

This was inspired by the work by Orange Tsai from 2016:
 - https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf
 - https://www.youtube.com/watch?v=R9pJ2YCXoJQ

There has been more recent research into this topic by Claroty and Snyk:
 - https://thehackernews.com/2022/01/researchers-find-bugs-in-over-dozen.html

<table>
<tr>
    <th>Target
    <th>Impact
    <th>CVE
    <th>Link(s)
</tr>
<tr>
 <td>US Department of State
 <td>SSRF
    <td>N/A
 <td><a href=https://hackerone.com/reports/1747596>https://hackerone.com/reports/1747596
<tr>
 <td>Google Closure Library
 <td>Parser selects wrong authority
    <td>CVE-2020-8910
 <td><a href=https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-8910>https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-8910
<tr>
 <td>HTTP server Apache2
 <td>OpenRedirect
    <td>CVE-2021-32786
 <td><ul><li><a href=https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32786>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32786</a><li><a href=https://www.sonarsource.com/blog/security-implications-of-url-parsing-differentials/>https://www.sonarsource.com/blog/security-implications-of-url-parsing-differentials/
</table>

I welcome others to add additional links to additional vulnerabilities. Hopefully the whatwg can use these resources to learn about where inconsistencies between the current existing URL parsers cause security impact in real-world applications.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/766
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/url/issues/766@github.com>

Received on Tuesday, 28 March 2023 15:13:31 UTC