SSRF leading to JWT disclosure in VMWare Workspace One
We discussed this vulnerability during Episode 113 on 24 January 2022
While the hostnames were being validated for this vulnerability, injecting a @
into the path argument was sufficent to mislead the final URL parser and actual code making the HTTP request to go to an unapproved domain by tricking it into thinking the path is actually the host and everything before the @
is just credentials.
A better approach would be to generate the entire URL and perform validation against that, similar to how one might test for directory traversal by getting the final canonical path and performing checks against that. This could still leave room for parser differentials however between the code doing the validation, and the code actually making the request.