Security Bugs in Third-Party URL Parsing Libraries Could Affect Multiple Web Applications | DoS attacks, leaks and more
Researchers have discovered URL parsing bugs that could impact several web applications. Cyber security experts have noticed some vulnerabilities resulting from inconsistencies in the libraries involved.
They further warned that these applications could be opportunities for data leaks, remote code execution (RCE) and denial of service (DoS) attacks.
What is URL parsing
(Photo: Mati Mango via Pexels)
URL parsing bugs
Before we discuss the bugs that hit some libraries, we first need to know the definition of URL parsing. According to Threatpost, this is the process of “breaking down a web address” into several pieces. Its main purpose is to properly align traffic on different servers.
Many programming languages allow URL parsing libraries to work. They could do this by importing apps onto them to access their features.
According to the researchers’ analysis Monday, URLs are based on five separate components. These include fragment, request, schema, path, and authority. On top of that, the team said each of them have designated roles needed to demand the resource and other processes.
Related Article: Old AT&T Networking Devices Flaw Now Exploited By New Malware To Conduct DoS Attacks! Thousands of U.S. customers affected
URL parsing confusion
Based on what they discovered earlier this week, there are some flaws that have affected libraries when it comes to their scanning.
After examining 16 URL parsing libraries, researchers at Synk and Team82 identified five categories of inconsistencies among them. These are the following:
Schema confusion – involves a missing schema in URLs
Slash confusion – involves an irregular number of slashes in URLs
Backslash confusion – involves backslashes in URLs
Confusion of URL encoded data – involves URLs with encoded data
Schema mixes – involves parsing URLs with a particular schema that does not require a schema-specific parser
The report added that two issues on major web applications were noted. This is the incompatibility of specifications and several parsers in use.
Simply put, the confusion could lead to the emergence of DoS and RCE attacks, as the researchers explained. Additionally, URL confusion could bypass the Log4J Shell patch which was alarming for all internet users.
8 URL parsing bugs
In another report from The Hacker News on Monday, January 10, eight vulnerabilities were discovered by researchers. The following is a list of URL parsing security bugs that have caused some confusion. They have made third-party web applications susceptible to identity theft.
Belledonne SIP stack (C, CVE-2021-33056)
Nagios XI (PHP, CVE-2021-37352)
Flask-security (Python, CVE-2021-23385)
Flask-security-too (Python, CVE-2021-32618)
Flask Raging (Python, CVE-2021-23393)
Bottle user (Python, CVE-2021-23401)
Clearance (Ruby, CVE-2021-23435)
How to Avoid Cyber Attacks When You Work from Home
Last November, Tech Times wrote an article about the WFH attacks and how to prevent them. To protect your computers from further damage, here’s what you need to do.
First of all, regularly check your password on your PC and don’t share it with others, even your friends. If you notice an alarming message on your account, immediately contact the authorities for assistance. Ask them if the warning is legitimate or not.
After that, we advise you to change your routers, especially those that are old models. Usually, obsolete routers are easily accessible by hackers.
Last week, we also reported that Google released a security patch in January for the Android Pixel 911 bug. The issue has reportedly prevented users from calling the emergency hotline.
Read also: Discovery of a third security flaw Log4J | Apache releases another patch update
This article is the property of Tech Times
Written by Joseph Henry
2021 TECHTIMES.com All rights reserved. Do not reproduce without permission.