thus the server can return any URIs (not just https:// but http:// as well, for any domain, such as: http://192.168.1.1 to attack local network resources, such as routers, etc...)
the .sign?r= addition is easily bypassed/ignored by adding # or &x= to the url (it will be part of the hash or additional parameter)
fix: implement white-list in the application of allowed hosts (only in https:// protocol) that can be used in the request for the signed data.
Here the response of request to
https://gisweb.azureedge.net/get_config.json?r=${Math.random()}(assumed json is returned) will be stored in configUrls variable, which some data in the jsonconfigUrls.data[env]is passed todownloadAndVerifySigningfunction, that will use without verification and whitelisted domains as input toaxios.get('${url}.sign?r=${Math.random()}'command. https://github.com/MohGovIL/hamagen-react-native/blob/c981f8f229208e69fa0d2d29a95a2f3117fe7295/src/config/config.ts#L15-L16 https://github.com/MohGovIL/hamagen-react-native/blob/4c13112f1ed803e6c5d1bdfacc473d0f65ee2268/src/services/SigningService.ts#L5-L7thus the server can return any URIs (not just https:// but http:// as well, for any domain, such as: http://192.168.1.1 to attack local network resources, such as routers, etc...)
the
.sign?r=addition is easily bypassed/ignored by adding#or&x=to the url (it will be part of the hash or additional parameter)fix: implement white-list in the application of allowed hosts (only in https:// protocol) that can be used in the request for the signed data.