Listen to this Post
The vulnerability exploits inconsistent HTTP header normalization between OAuth2 Proxy and upstream applications. OAuth2 Proxy filters specific `X-Forwarded-` headers (e.g., X-Forwarded-User) to prevent privilege escalation. However, it did not normalize headers by default, treating `X-Forwarded-User` and `X_Forwarded_User` as distinct. Upstream WSGI frameworks (Django, Flask, etc.) often normalize underscores to dashes in header names, effectively interpreting `X_Forwarded_User` as X-Forwarded-User. An authenticated attacker can inject an underscore-variant header (X_Forwarded_User: admin), which bypasses the proxy’s filter. The upstream application then receives this header, normalizes it, and may grant privileges based on its forged value, leading to a privilege escalation attack. The proxy’s own auth remains secure.
Platform: OAuth2 Proxy
Version: <7.13.0
Vulnerability: Header Smuggling
Severity: Critical
date: 2024
Prediction: Patch Available
What Undercode Say:
curl -H "X_Forwarded_User: attacker" http://vulnerable-app.com/protected-route
Example of WSGI normalization (e.g., Flask/Django) received_header_name = "HTTP_X_FORWARDED_USER" Becomes "X-Forwarded-User"
// OAuth2 Proxy patched header stripping logic
func normalizeHeader(name string) string {
name = strings.(strings.ToLower(name))
name = strings.Replace(name, "_", "-", -1)
return name
}
How Exploit:
1. Attacker authenticates with OAuth2 Proxy.
- Attacker sends a request with a forged header like
X_Forwarded_User: admin. - OAuth2 Proxy does not strip the header due to the underscore.
4. Upstream WSGI app normalizes `X_Forwarded_User` to `X-Forwarded-User`.
- Upstream app trusts the header value, granting admin access.
Protection from this CVE
Upgrade OAuth2 Proxy to version 7.13.0 or later. The patch enables header name normalization by default, treating `X-Forwarded-User` and `X_Forwarded_User` as identical and stripping both. If using a custom header configuration, ensure `InsecureSkipHeaderNormalization` is set to false. As a workaround, configure upstream applications to not normalize headers or to explicitly reject headers containing underscores before processing.
Impact:
Privilege escalation for authenticated users in upstream applications. This can lead to unauthorized access to application data and administrative functions. The impact is high if the upstream application relies on the `X-Forwarded-` headers for user identification or authorization decisions.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
