Parameter Smuggling Vulnerabilit

Security researchers have discovered a new vulnerability called ParseThru affecting Golang-based applications that could be abused to gain unauthorized access to cloud-based applications.

"The newly discovered vulnerability allows a threat actor to bypass validations under certain conditions, as a result of the use of unsafe URL parsing methods built in the language," Israeli cybersecurity firm Oxeye said in a report shared with The Hacker News.

The issue, at its core, has to do with inconsistencies stemming from changes introduced to Golang's URL parsing logic that's implemented in the "net/url" library.

CyberSecurity

While versions of the programming language prior to 1.17 treated semicolons as a valid query delimiter (e.g., example.com?a=1;b=2&c=3), this behavior has since been modified to throw an error upon finding a query string containing a semicolon.

"The net/url and net/http packages used to accept ";" (semicolon) as a setting separator in URL queries, in addition to "&" (ampersand)," according to the release notes for version 1.17 released last August.

"Now, settings with non-percent-encoded semicolons are rejected and net/http servers will log a warning to 'Server.ErrorLog' when encountering one in a request URL."

The problem arises when a Golang-based public API built upon a version greater than 1.17 communicates with an internal service running Golang before 1.17, leading to a scenario where a malicious actor could smuggle requests incorporating query parameters that would otherwise be rejected.

CyberSecurity

Oxeye said it identified several instances of ParseThru in open-source projects such as Harbor, Traefik, and Skipper, which made it possible to bypass validations put in place and carry out unauthorized actions.

This is not the first time URL parsing has posed a security issue. Earlier this January, Claroty and Snyk disclosed as many as eight flaws in third-party libraries written in C, JavaScript, PHP, Python, and Ruby languages that originated as a result of confusion in URL parsing.


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.