"New 'ParseThru' Parameter Smuggling Vulnerability Affects Golang-based Applications"
Security researchers have discovered a new vulnerability dubbed ParseThru that affects Golang-based applications and can be exploited to gain unauthorized access to cloud-based applications. According to the cybersecurity firm Oxeye, the newly discovered vulnerability allows a threat actor to circumvent validations under certain conditions due to the use of unsafe URL parsing methods built into the language. At the heart of the problem are inconsistencies stemming from changes to Golang's URL parsing logic, which is implemented in the "net/url" library. Prior to version 1.17 of the programming language, semicolons were treated as a valid query delimiter, but this behavior has since been changed to throw an error when a query string containing a semicolon is found. When a Golang-based public API built on version 1.17 or later communicates with a backend service running an earlier version, a malicious actor may be able to smuggle requests containing query parameters that would otherwise be rejected. The idea is to send requests with a semicolon in the query string, which the user-facing Golang API ignores but the internal service processes. This is made possible because one of the methods responsible for obtaining the parsed query string silently discards the returned error. Oxeye stated that it discovered several instances of ParseThru in open-source projects such as Harbor, Traefik, and Skipper, thus allowing users to bypass validations and perform unauthorized actions. Following responsible disclosure to the respective vendors, the issues have been addressed. This article continues to discuss the findings regarding the ParseThru vulnerability.
THN reports "New 'ParseThru' Parameter Smuggling Vulnerability Affects Golang-based Applications"