Security Bugs on Third-Party URL-Parsing Libraries Could Affect Several Web Apps | DoS Attacks, Leaks, and More

Researchers discovered URL-parsing bugs that could impact several web apps. The cybersecurity experts noticed some vulnerabilities borne out of inconsistencies from the affected libraries.

They further warned that these apps could be outlets for data leaks, remote code execution (RCE), and denial-of-service (DoS) attacks.

What is URL Parsing

Security Bugs on Third-Party URL-Parsing Libraries Could Affect Several Web Apps | DoS Attacks, Leaks, and More
URL-Parsing Bugs Mati Mango via Pexels

Before discussing the bugs that hit certain libraries, we should first know the definition of URL parsing. According to Threatpost, it is the process of "breaking down a web address" into various components. Its main goal is to properly align the traffic across different servers.

Many programming languages allow URL parsing libraries to operate. They could do that by importing apps on them to access their functionality.

Per researchers' analysis on Monday, there are five distinct components that URLs are based on. These include the fragment, query, scheme, path, and authority. On top of that, the team said that each of them has designated roles necessary for exacting the resource and other processes.

Related Article: AT&T Networking Devices' Old Flaw Now Exploited by New Malware to Conduct DoS Attacks! Thousands of US Customers Affected

URL Parsing Confusions

From what they found out earlier this week, some loopholes affected the libraries with regards to their parsing.

Upon scrutinizing 16 URL parsing libraries, Synk and Team82 researchers identified five categories of inconsistencies among them. These are the following:

  • Scheme confusion - involves missing Scheme in URLs

  • Slash confusion - involves an irregular number of slashes in URLs

  • Backslash confusion - involves backslashes in URLs

  • URL Encoded Data confusion - involves URLs with Encoded data

  • Scheme Mix-ups - involves URL parsing with a particular scheme that does not require a scheme-specific parser

The report added that two issues on main web applications were seen. These are the specification incompatibility and multiple parsers in use.

In layman's terms, the confusion could result in the appearance of DoS and RCE attacks, as the researchers explained. Moreover, the URL confusion could bypass the Log4J Shell patch which was alarming to all internet users.

8 URL Parsing Bugs

In another report from The Hacker News on Monday, Jan. 10, eight vulnerabilities were discovered by the researchers. The following is a list of URL parsing security bugs that resulted in confusions. They made third-party web apps susceptible to spoofing.

  • Belledonne's SIP Stack (C, CVE-2021-33056)

  • Video.js (JavaScript, CVE-2021-23414)

  • Nagios XI (PHP, CVE-2021-37352)

  • Flask-security (Python, CVE-2021-23385)

  • Flask-security-too (Python, CVE-2021-32618)

  • Flask-unchained (Python, CVE-2021-23393)

  • Flask-User (Python, CVE-2021-23401)

  • Clearance (Ruby, CVE-2021-23435)

How to Avoid Cyberattacks When Working at Home

Last November, Tech Times wrote an article about WFH attacks and how to prevent them. To protect your computers from further harm, here's what you need to do.

First, regularly check your password on your PC and do not share it with others, even with your friends. If you notice an alarming message on your account, immediately contact the authorities to seek help. Ask them if the warning is legitimate or not.

After that, we advise you to change your routers, especially those that are old models. Usually, outdated routers can be easily accessed by hackers.

Last week, we also reported that Google launched a January security patch for the Pixel 911 Android bug. The glitch was reportedly preventing users from calling the emergency hotline.

Read Also: Third Log4J Security Flaw Discovered | Apache Releases Another Patch Update

This article is owned by Tech Times

Written by Joseph Henry

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics