URL PassThru Vulnerability in Golang
GoLang-based applications has a new vulnerability that allows a threat actor to bypass validations under certain conditions and gain unauthorized access to cloud-native applications.
The vulnerability dubbed as ParseThru, the use of unsafe URL parsing methods built in the language.
GoLang uses the ‘net/url’ library to parse URLs. Prior to version 1.17 of the programming language, GoLang would consider semicolons in the query part of the URL as a valid delimiter. GoLang changed this behavior all new version apart from 1.17, in which the “parseQuery” method will return an error if the query part of the URL contains a semicolon.
Although this method was fixed to properly return an error when the input contains a semicolon, one of the methods responsible for getting the parsed query string bluntly ignores the error returned.
Due to which the GoLang-based public API built upon GoLang version greater than 1.17 communicates with an internal service running GoLang prior to v1.17.
When a user makes an http request to the first service, supplying a query parameter, the service will make a determination on whether to pass on the request based on the supplied parameter. If a semicolon is added to the named parameter, the first service will ignore its existence. No logic will be made based on the actual parameter value.
The request is forwarded to the internal service, receiving and treating the request, parameter without the semicolon. This means miscreants are able to smuggle requests containing query parameters that would normally be rejected.
This behavior is seen in several open-source projects which resulted in various vulnerabilities.
Three identified vulnerable projects include:
- CNCF-graduated project Harbor, an open source registry that secures artifacts with policies and role-based access control
- Traefik, a modern http reverse proxy and load balancer that makes deploying microservices easy and
- Skipper, an http router and reverse proxy for service composition.
Research team managed to bypass critical apps logic using this vulnerability to exploit the application for performing various unauthorized actions.
This research was conducted and documented by oxeye researchers.