Listen to this Post
The vulnerability resides in the `fixTrailingSlash` middleware applied by default to page routes in Qwik City. When handling a request, this middleware checks if the URL path should have a trailing slash added or removed for consistency. It constructs a redirect `Location` header based on the incoming request path. The flaw was that it did not properly validate the generated redirect target. An attacker could craft a request to a path like //evil.com. The middleware would process this and issue a 301 redirect with the header Location: //evil.com. A browser interprets this protocol-relative URL, redirecting the user to `https://evil.com` or `http://evil.com` based on the original connection, effectively performing an open redirect from the trusted domain to an attacker-controlled site.
Platform: Qwik City
Version: < 1.19.0
Vulnerability: Open Redirect
Severity: Medium
date:
Prediction: Patched 2024-04-24
What Undercode Say:
Check current qwik-city version
npm list @builder.io/qwik-city
Simulate malicious request triggering redirect
curl -I "https://victim-domain.com//evil.com/path"
Pattern to detect vulnerable Location headers
grep -r "Location:\s//" src/
Example of a safe redirect validation snippet
if (!redirectUrl.startsWith('/') || redirectUrl.includes('://')) {
throw new Error('Invalid redirect');
}
How Exploit:
Attacker sends a crafted link: https://trusted-app.com//phishing-site.com/login`. The victim's browser receives a 301 redirect from the trusted domain tohttps://phishing-site.com/login`.
Protection from this CVE
Update to `@builder.io/qwik-city` version 1.19.0 or later.
Impact:
Phishing attacks, session token theft, user credential harvesting.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

