When I was using axios, I found its dependency library follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too.
Steps To Reproduce & PoC
axios Test Code
const axios = require('axios');
axios.get('http://127.0.0.1:10081/',{
headers: {
'AuThorization': 'Rear Test',
'ProXy-AuthoriZation': 'Rear Test',
'coOkie': 't=1'
}
}).then(function (response) {
console.log(response);
})
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
Request sent by axios
image-20240314130755052.png
Request sent by follow-redirects after redirectimage-20240314130809838.png
Impact
This vulnerability may lead to credentials leak.
Recommendations
Remove proxy-authentication header during cross-domain redirect
Recommended Patch
follow-redirects/index.js:464
removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
change to
removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
Ref
https://fetch.spec.whatwg.org/#authentication-entries
psf/requests#1885
https://hackerone.com/reports/2390009
When I was using axios, I found its dependency library follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too.
Steps To Reproduce & PoC
axios Test Code
const axios = require('axios');
axios.get('http://127.0.0.1:10081/',{
headers: {
'AuThorization': 'Rear Test',
'ProXy-AuthoriZation': 'Rear Test',
'coOkie': 't=1'
}
}).then(function (response) {
console.log(response);
})
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
Request sent by axios
image-20240314130755052.png
Request sent by follow-redirects after redirectimage-20240314130809838.png
Impact
This vulnerability may lead to credentials leak.
Recommendations
Remove proxy-authentication header during cross-domain redirect
Recommended Patch
follow-redirects/index.js:464
removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
change to
removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
Ref
https://fetch.spec.whatwg.org/#authentication-entries
psf/requests#1885
https://hackerone.com/reports/2390009