"Industrial Firms Advised Not to Ignore Security Risks Posed by URL Parsing Confusion"
A team of researchers from the industrial cybersecurity firm Claroty and the developer security company Snyk analyzed 16 URL parsing libraries. Findings from the analysis further highlighted how inconsistencies could lead to different types of vulnerabilities. The analysis revealed five types of inconsistencies, including backslash confusion (URLs containing backslashes), scheme confusion (URLs with a malformed or missing scheme), slash confusion (URL with an irregular number of slashes), URL encoded data confusion (URLs containing URL encoded data), and scheme mixup (a URL belonging to a particular scheme without a scheme-specific parser). These inconsistencies could lead to Server-Side Request Forgery (SSRF), open redirect, Cross-Site Scripting (XSS), Denial-of-Service (DoS), and filter bypass issues. Eight CVE identifiers have been assigned to the vulnerabilities discovered by the researchers. They were privately disclosed to developers and patched before research findings were shared with the public. One vulnerability related to URL parsing confusion is the Log4Shell flaw in Log4j, an open-source Apache Java-based logging framework used by developers to record activity within software applications and online services. This article continues to discuss key findings from the analysis of 16 URL parsing libraries and the implications of URL parsing confusion for industrial systems.