HISTORY & SECURITY: URL Parsing Differences Between Implementations Security Issues

[JLLeitschuh]

The goal of this thread is to capture, in a single location, all cases of where URL parsing due to differences in parsing has led to a security issue.

This was inspired by the work by Orange Tsai from 2016:

• https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf
• https://www.youtube.com/watch?v=R9pJ2YCXoJQ

There has been more recent research into this topic by Claroty and Snyk:

• Summary: https://thehackernews.com/2022/01/researchers-find-bugs-in-over-dozen.html
• Research: https://claroty.com/team82/research/exploiting-url-parsing-confusion

Target	Impact	CVE	Link(s)
US Department of State	SSRF	N/A	https://hackerone.com/reports/1747596
Google Closure Library	Parser selects wrong authority	CVE-2020-8910	https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-8910
HTTP server Apache2	OpenRedirect	CVE-2021-32786	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32786 https://www.sonarsource.com/blog/security-implications-of-url-parsing-differentials/

I welcome others to add additional links to additional vulnerabilities. Hopefully the whatwg can use these resources to learn about where inconsistencies between the current existing URL parsers cause security impact in real-world applications.

[annevk]

You might also be interested in The Tangled Web: A Guide to Securing Modern Web Applications by Michal Zalewski. I'm pretty sure URL parsing is discussed, though it's been a while since I read it.

But yes, security is a large part of the reason to pursue this effort. Not sure anyone here needs convincing of that, but exploits do always make for interesting reading and sometimes inform necessary changes.

[annevk]

I'm going to close this, but if people want to share more research, feel free. And if anything warrants a change to the URL standard we can always reopen or file a new issue targeted towards that.