Node.js was vulnerable to a new technique for smuggling HTTP requests


Bad line termination and incorrect analysis of chunk extensions exposed one of two HRS faults

Node.js maintainers fixed two HTTP Request Traffic (HRS) vulnerabilities in the JavaScript runtime environment, including one found using what appears to be a new HRS technique.

A server-side technology that allows JavaScript to be executed from the browser, Node.js is an increasingly popular way to develop and host web applications.

HTTP request smuggling interferes with the way websites process the HTTP request sequences received from users.

Learn about the latest Node.js security news and analysis

The vulnerabilities were discovered by Mattias Grenfeldt and Asta Olofsson during research for a bachelor’s degree in computer science at the KTH Royal Institute of Technology in Sweden. This has since been rewritten as a conference document and accepted for IEEE EDOC 2021.

“We set out to search for HTTP request contraband vulnerabilities in six open source web servers and six open source proxies. Node was one of them, but initially we found no problem there, ”said Grenfeldt. The daily sip.

“Some time later, while we were working on reporting the other issues that were encountered during the project, we came across these two issues.”

‘Classic HRS technique’

The first, CVE-2021-22959, allows HTTP requests to be smuggled due to spaces in headers, with the HTTP parser accepting requests with a space after the header name and before the colon. .

“This is a classic HRS technique,” ​​Grenfeldt explains. “Node interprets” as “. If combined with a proxy that ignores these headers, but forwards them without modification, then HRS is possible. There have been a lot of issues similar to this in the past.

“It’s interesting that Regilero also reported this exact issue to Node earlier, along with a bunch of other issues; they were collectively awarded CVE-2016-2086. All issues have been resolved except for the space + colon issue.

New technique

Meanwhile, CVE-2021-22960 appears to represent a new HRS technique, whereby the combination of a bad line termination in one of the proxies studied and an incorrect analysis of chunk extensions in Node allows the smuggling of requests.

Grenfeldt and Olofsson discovered that the vulnerable proxy looked for a single newline character (LF) to end the line containing the chunk size, but did not check, as usual, for a carriage return before the LF. .

“Just before that line termination is the location of the rarely used section extension feature. In block extensions, you can specify additional parameters, like ”, after the block size. However, analysis for this is rarely implemented in systems and many instead allow any byte in this region, ”Grenfeldt explains.

“These two problems combined allow us to build a fragmented body that the proxy interprets one way and Node interprets another way. We also found the same server behavior on three other servers we investigated, which in fact the most serious problem we have found. “

Grenfeldt and Olofsson reported the issues on June 19 and 20, with Node releasing a patch on October 12.

RELATED HAProxy vulnerability allows HTTP request smuggling attacks

Source link

Leave A Reply

Your email address will not be published.