[Go]: fasthttp model for XSS, SSRF, open redirect

Question

[Go]: fasthttp model for XSS, SSRF, open redirect

am0o0 opened this issue a year ago · comments

Am commented a year ago

Query PR

github/codeql#14123

Language

GoLang

CVE(s) ID list

GHSA-59m6-82qm-vqgj usage of ctx.Request.URI().FullURI() and ctx.Request.Header.Peek()

CWE

No response

Report

I added SSRF sinks , user controlled remote sources, XSS sinks, open redirect sinks and some additional steps and sanitizers from fasthttp package.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Yes
No

Blog post link

No response

Jorge · Answer 1 · Wed Sep 13 2023 17:17:30 GMT+0800 (China Standard Time)

👋 @amammad

Thank you for your contribution. Unfortunately, we can't accept the submission as is taking into account the CodeQL code quality (lack of comments, not using the reference to this and so making the code difficult to read), and the low research done around the framework (wrong assumptions such as DoRedirects for Http::Redirect, which instead executes the request following redirects).

An improvement of the submission may have a lot of potential, let us know if you would like to work on it to keep the submission open, otherwise I will close it as rejected.

Am · Answer 2 · Wed Sep 13 2023 17:24:02 GMT+0800 (China Standard Time)

@jorgectf Thanks for informing me about the mistakes that I made, I'll fix the problems of this query that you've mentioned, Please let me know about any suggestion that makes the review process faster and I'll do my best to solve that.

Am · Answer 3 · Wed Sep 13 2023 20:04:34 GMT+0800 (China Standard Time)

@jorgectf could you please elaborate this part ... not using the reference to this and so making the code difficult to read) a little bit more? thanks :)

Am · Answer 4 · Thu Sep 14 2023 21:45:45 GMT+0800 (China Standard Time)

@jorgectf I've fixed the issues and also I added some more sinks/additional steps, I provided the example of XSS sanitizers
Also, I wrote the output of sanitizer against special characters besides the code for easier review.
for most of the additional steps and dangerous sinks, I tried to explain why and how some of them are dangerous or can be used.
And Really I can't believe how I missed DoRedirects and misplaced that as an open redirect sink :(

Jorge · Answer 5 · Fri Sep 15 2023 17:58:49 GMT+0800 (China Standard Time)

@amammad very nice improvements! Thank you!

GitHub Security Lab · Answer 6 · Fri Sep 15 2023 18:02:22 GMT+0800 (China Standard Time)

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

GitHub Security Lab · Answer 7 · Thu Jan 25 2024 17:46:46 GMT+0800 (China Standard Time)

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

Xavier RENE-CORAIL · Answer 8 · Fri Jan 26 2024 06:28:01 GMT+0800 (China Standard Time)

Created Hackerone report 2335428 for bounty 546296 : [786] [Go]: fasthttp model for XSS, SSRF, open redirect

GitHub Security Lab · Answer 9 · Fri Jan 26 2024 06:28:13 GMT+0800 (China Standard Time)

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed