Listen to this Post
How the CVE Works:
CVE-2021-3768 affects Koa web framework versions below 2.16.1 and 3.0.0-alpha.5. The vulnerability arises when untrusted user input is passed to `ctx.redirect()` without proper validation. Even if the input is sanitized, an attacker can craft a malicious URL that executes JavaScript when the victim is redirected. This occurs due to insufficient URL parsing, allowing attackers to inject `javascript:` or `data:` URIs. The victim’s browser processes the redirect as executable code, leading to cross-site scripting (XSS) or phishing attacks.
DailyCVE Form:
Platform: Koa
Version: <2.16.1, <3.0.0-alpha.5
Vulnerability: Open Redirect
Severity: Critical
Date: 2021-08-09
What Undercode Say:
Exploit:
1. Craft a malicious URL:
ctx.redirect('javascript:alert(document.cookie)');
2. Phishing payload:
ctx.redirect('data:text/html,<script>stealCookies()</script>');
3. Bypass sanitization:
ctx.redirect('\/\/evil.com/xss');
Protection:
1. Update Koa:
npm install koa@latest
2. Validate URLs:
const safeRedirect = (url) => {
if (!url.startsWith('http://') && !url.startsWith('https://')) throw new Error('Invalid URL');
return url;
};
3. Use middleware:
app.use(async (ctx, next) => {
if (ctx.url.includes('javascript:')) ctx.throw(400);
await next();
});
Detection:
1. Scan dependencies:
npm audit
2. Test redirects:
curl -I "http://target/api/redirect?url=javascript:alert(1)"
Mitigation:
- Disable dynamic redirects.
- Implement CSP headers:
Content-Security-Policy: default-src 'self'
- Log suspicious activity:
app.on('redirect', (url) => console.warn('Redirect attempt:', url));
References:
References:
Reported By: https://github.com/advisories/GHSA-x2rg-q646-7m2v
Extra Source Hub:
Undercode
