Breaking Parser Logic: Take Your Path Normalization off and Pop 0days Out!

Conference:  BlackHat USA 2018



The presentation discusses the importance of cybersecurity in DevOps and highlights the vulnerabilities in reverse proxy architecture and URL path parameters. It also provides solutions to prevent attacks and emphasizes the need for continuous auditing and patching.
  • Reverse proxy architecture can be vulnerable to attacks that bypass security measures
  • URL path parameters can also be exploited to gain unauthorized access
  • Isolating backend applications and ensuring proper behavior between proxy and backend servers can prevent attacks
  • Continuous auditing and patching is necessary to maintain security
  • An anecdote is provided about exploiting a vulnerability in a content management system to gain unauthorized access
The presenter shares a story about exploiting a vulnerability in a content management system called Nastya to gain unauthorized access. By forging a record that matched the whitelist in SS control, they were able to bypass security measures. Although most patches returned a null pointer exception, they were still able to knock on the door and gain access to the configuration file. This highlights the importance of continuous auditing and patching to maintain security.


We propose a new exploit technique that brings a whole-new attack surface to defeat path normalization, which is complicated in implementation due to many implicit properties and edge cases. This complication, being under-estimated or ignored by developers for a long time, has made our proposed attack vector possible, lethal, and general. Therefore, many 0days have been discovered via this approach in popular web frameworks written in trending programming languages, including Python, Ruby, Java, and JavaScript. Being a very fundamental problem that exists in path normalization logic, sophisticated web frameworks can also suffer. For example, we've found various 0days on Java Spring Framework, Ruby on Rails, Next.js, and Python aiohttp, just to name a few. This general technique can also adapt to multi-layered web architecture, such as using Nginx or Apache as a proxy for Tomcat. In that case, reverse proxy protections can be bypassed. To make things worse, we're able to chain path normalization bugs to bypass authentication and achieve RCE in real world Bug Bounty Programs. Several scenarios will be demonstrated to illustrate how path normalization can be exploited to achieve sensitive information disclosure, SMB-Relay and RCE. Understanding the basics of this technique, the audience won't be surprised to know that more than 10 vulnerabilities have been found in sophisticated frameworks and multi-layered web architectures aforementioned via this technique.