Merge branch 'master' into denisl/js/HttpToFileAccessTest

2026-05-02 04:05:14 +02:00 · 2018-10-02 15:13:35 -07:00
parent 9c487bc6d9 d44761eaca
commit e147e690ee
44 changed files with 746 additions and 96 deletions
--- a/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.qhelp
+++ b/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.qhelp
@@ -0,0 +1,46 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Using the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens.
+A malicious user can send an HTTP request to the targeted web site, but with a Host header that refers to his own web site.
+This means the emails will be sent out to potential victims, originating from a server they trust, but with
+links leading to a malicious web site.
+</p>
+<p>
+If the email contains a password reset link, and should the victim click the link, the secret reset token will be leaked to the attacker.
+Using the leaked token, the attacker can then construct the real reset link and use it to change the victim's password.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Obtain the server's host name from a configuration file and avoid relying on the Host header.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example uses the <code>req.host</code> to generate a password reset link.
+This value is derived from the Host header, and can thus be set to anything by an attacker:
+</p>
+<sample src="examples/HostHeaderPoisoningInEmailGeneration.js"/>
+
+<p>
+To ensure the link refers to the correct web site, get the host name from a configuration file:
+</p>
+<sample src="examples/HostHeaderPoisoningInEmailGenerationGood.js"/>
+</example>
+
+<references>
+<li>
+Mitre:
+<a href="https://cwe.mitre.org/data/definitions/640.html">CWE-640: Weak Password Recovery Mechanism for Forgotten Password</a>.
+</li>
+<li>
+Ian Muscat:
+<a href="https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/">What is a Host Header Attack?</a>.
+</li>
+</references>
+</qhelp>
--- a/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql
+++ b/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql
@@ -0,0 +1,29 @@
+/**
+ * @name Host header poisoning in email generation
+ * @description Using the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id js/host-header-forgery-in-email-generation
+ * @tags security
+ *       external/cwe/cwe-640
+ */
+import javascript
+
+class TaintedHostHeader extends TaintTracking::Configuration {
+  TaintedHostHeader() { this = "TaintedHostHeader" }
+
+  override predicate isSource(DataFlow::Node node) {
+    exists (HTTP::RequestHeaderAccess input | node = input |
+      input.getKind() = "header" and
+      input.getAHeaderName() = "host")
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists (EmailSender email | node = email.getABody())
+  }
+}
+
+from TaintedHostHeader taint, DataFlow::Node src, DataFlow::Node sink
+where taint.hasFlow(src, sink)
+select sink, "Links in this email can be hijacked by poisoning the HTTP host header $@.", src, "here"
--- a/javascript/ql/src/Security/CWE-640/examples/HostHeaderPoisoningInEmailGeneration.js
+++ b/javascript/ql/src/Security/CWE-640/examples/HostHeaderPoisoningInEmailGeneration.js
@@ -0,0 +1,19 @@
+let nodemailer = require('nodemailer');
+let express = require('express');
+let backend = require('./backend');
+
+let app = express();
+
+let config = JSON.parse(fs.readFileSync('config.json', 'utf8'));
+
+app.post('/resetpass', (req, res) => {
+  let email = req.query.email;
+  let transport = nodemailer.createTransport(config.smtp);
+  let token = backend.getUserSecretResetToken(email);
+  transport.sendMail({
+    from: 'webmaster@example.com',
+    to: email,
+    subject: 'Forgot password',
+    text: `Click to reset password: https://${req.host}/resettoken/${token}`,
+  });
+});
--- a/javascript/ql/src/Security/CWE-640/examples/HostHeaderPoisoningInEmailGenerationGood.js
+++ b/javascript/ql/src/Security/CWE-640/examples/HostHeaderPoisoningInEmailGenerationGood.js
@@ -0,0 +1,19 @@
+let nodemailer = require('nodemailer');
+let express = require('express');
+let backend = require('./backend');
+
+let app = express();
+
+let config = JSON.parse(fs.readFileSync('config.json', 'utf8'));
+
+app.post('/resetpass', (req, res) => {
+  let email = req.query.email;
+  let transport = nodemailer.createTransport(config.smtp);
+  let token = backend.getUserSecretResetToken(email);
+  transport.sendMail({
+    from: 'webmaster@example.com',
+    to: email,
+    subject: 'Forgot password',
+    text: `Click to reset password: https://${config.hostname}/resettoken/${token}`,
+  });
+});