jsoncrack.com icon indicating copy to clipboard operation
jsoncrack.com copied to clipboard
verified publisher icon AykutSarac

[BUG]: Server-Side Request Forgery Vulnerability In File Import

Open Ryan-Awad opened this issue 3 years ago • 1 comments

Issue description

Problem:

There is a SSRF (Server-Side Request Forgery) vulnerability when importing an external JSON file using a URL. In src/containers/Modals/ImportModal/index.tsx, the vulnerability can be found in the handleImportFile function. Here is the specific code that introduces the vulnerability:

if (url) {
  setJsonFile(null);

  toast.loading("Loading...", { id: "toastFetch" });
  return fetch(url) // *SSRF IS EXPLOITED HERE*
    .then(res => res.json())
    .then(json => {
      setJson(JSON.stringify(json, null, 2));
      setVisible(false);
    })
    .catch(() => toast.error("Failed to fetch JSON!"))
    .finally(() => toast.dismiss("toastFetch"));
}

The Danger:

An SSRF vulnerability can be dangerous as it allows the attacker to access resources that are normally restricted to the server, potentially revealing sensitive information or allowing the attacker to launch further attacks.

In addition, an attacker could use SSRF to send requests to external resources, such as websites or APIs, in order to perform actions on behalf of the vulnerable server running JSON Crack. This could allow the attacker to bypass authentication requirements or rate limits, potentially allowing them to perform actions that would normally be restricted.

How to fix this vulnerability:

In the handleImportFile function in src/containers/Modals/ImportModal/index.tsx change the vulnerable code I put above to the following:

if (url) {
  const urlToCheck = new URL(url);
  const path = urlToCheck.pathname;
  const hostname = urlToCheck.hostname;
  // check if the URL is truly pointing to a JSON file, and if the hostname of the URL is not referencing the localhost.
  if (path.substring(path.length-5, path.length) === '.json' && !(['localhost', '127.0.0.1'].includes(hostname))) {
    setJsonFile(null);

    toast.loading("Loading...", { id: "toastFetch" });
    return fetch(url)
      .then(res => res.json())
      .then(json => {
        setJson(JSON.stringify(json, null, 2));
        setVisible(false);
      })
      .catch(() => toast.error("Failed to fetch JSON!"))
      .finally(() => toast.dismiss("toastFetch"));
  } else {
    toast.error("Invalid URL!");
  }
}

I would be happy to make a PR!

Media & Screenshots

No response

Operating system

  • OS: Ubuntu 20.04.4
  • Browser: Chrome

Priority this issue should have

Medium (should be fixed soon)

Ryan-Awad avatar Jan 07 '23 16:01 Ryan-Awad

Hello Ryan, thanks for sharing about this. When user fetch from URL, everything happens on the client side and there is no contact between the server. Therefore it's same as directly going into that URL or fetching within in the JSON Crack UI. Though I'm not a cyber security expert, do you think it effects any part of the application still even it's on the client side?

AykutSarac avatar Jan 07 '23 17:01 AykutSarac

Hello AykutSarac, my mistake I did not realize that everything happens on the client-side. When testing this out, I made a mistake which made it seem like this was server-side. If everything is client-side then it should be safe.

Thank you!

Ryan-Awad avatar Jan 07 '23 21:01 Ryan-Awad