From . in regex to SSRF — part 3

This is last part of my stories about exploiting service with SSRF bug. Part 1 is available here, and part 2 here.

This part is focused on abusing Node.js and node-fetch library. I will try to “talk” with Redis service using CRLF injection in http parser.

For convenience Redis service will be simulated by nc -vvlp 6379.

Test environment from my Kali 2020.1b:

  • Node.js version 10.19.0
  • node-fetch version 2.6.0

CRLF Injection

For presentation purpose only head -n 3

None success here. All payloads failed 😞

Next step is to check payloads from two great articles by Orange Tsai: first from Red Hat 2017 and second from his blog. It’s giving few more options to test:

-*Set-Cookie:injection-* (Unicode U+FF0D U+FF0A)
http://0\r\n SET foo 0 60 5\r\n :6379/
https://0\r\nSET foo 0 60 5\r\n:6379/

Still no success here. I seams that this version of Node.js is not vulnerable for CRLF attacks.

Let’s try harder and dig dipper into node-fetch, maybe something interesting will be in code 😃

Investigation of node-fetch code

  1. Url parsing
  2. Handling url input as object not as string

Let’s see what I will find.

Debug of Node.js code is quite nice with Visual Studio Code:

Code debugging example in Visual Studio Code

Problem number one is not existing as node-fetch is using standard Node.js Url.parse for input. There are not doing much fancy stuff with it.

For second problem I needed to do more investigation.

First of all I will explain why I’m interested in processing object instead of string. In many dynamic languages you can make valid request like this:

http://localhost:3000/c?url[href]=localhost&url[method]=POST

This leads to created object instead of string. Could be quite handy for some scenarios. Especially if developers didn’t predict it 😄 See below example of parsing such url in Node.js Express framework.

In node-fetch I have found one possible attacking vector:

It look like possible to use object instead of string for input parameter. This input.method could change method type in some specific conditions. After spending some time in debugger it turn out as dead end.

Summary

Thanks for reading! You can follow me on Twitter here.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store