Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!

Conference:  Defcon 26



The presentation discusses the importance of cybersecurity in DevOps and highlights the vulnerabilities in reverse proxy architecture and URL path parameters.
  • Reverse proxy architecture can be vulnerable to attacks that bypass security controls
  • URL path parameters can lead to security problems due to differences in implementation between web servers
  • Proper isolation of backend applications and ensuring behavior between proxy and backend servers can prevent attacks
  • Thin features in frameworks like Struts can introduce dangerous expression language that must be carefully controlled
During a code review of an open source content management system, the presenter found several tiny bugs that could be chained together to gain unauthorized access. The system was based on the Struts framework, which introduced dangerous expression language that had to be carefully controlled.


We propose a new exploit technique that brings a whole-new attack surface to defeat path normalization, which is complicated in implementation due to many implicit properties and edge cases. This complication, being under-estimated or ignored by developers for a long time, has made our proposed attack vector possible, lethal, and general. Therefore, many 0days have been discovered via this approach in popular web frameworks written in trending programming languages, including Python, Ruby, Java, and JavaScript. Being a very fundamental problem that exists in path normalization logic, sophisticated web frameworks can also suffer. For example, we've found various 0days on Java Spring Framework, Ruby on Rails, Next.js, and Python aiohttp, just to name a few. This general technique can also adapt to multi-layered web architecture, such as using Nginx or Apache as a proxy for Tomcat. In that case, reverse proxy protections can be bypassed. To make things worse, we're able to chain path normalization bugs to bypass authentication and achieve RCE in real world Bug Bounty Programs. Several scenarios will be demonstrated to illustrate how path normalization can be exploited to achieve sensitive information disclosure, SMB-Relay and RCE. Understanding the basics of this technique, the audience won't be surprised to know that more than 10 vulnerabilities have been found in sophisticated frameworks and multi-layered web architectures aforementioned via this technique.