CVE-2022-0155 follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

this risk is present, because the end user has to be careful while following links, especially when they come from a site they do not trust.

There are several ways that you can protect against this risk, such as using a password manager, or turning on two-factor authentication.
On the other hand, if you’re using a service like Webmock, which enables you to simulate end-to-end flow of data, you can test your site’s security and assess whether or not it’s vulnerable to this risk.

Insecure Direct Object References

This risk is present, because of the fact that end-to-end communications are not encrypted. This means that the user has to be careful when following links, especially when they come from a site they do not trust.
There are several ways you can protect against this risk, such as using a password manager, or turning on two-factor authentication.
On the other hand, if you’re using a service like Webmock, which enables you to simulate end-to-end flow of data, you can test your site’s security and assess whether or not it’s vulnerable to this risk.

Insecure Configuration of WebMock

WebMock was able to successfully simulate a user’s data flow, but they didn’t test how easy it was for the site to be compromised.

While Webmock is a good tool that can help you identify risks and vulnerabilities, make sure that you test your site with it before launching your website or app.

Bypassing Authentication with Cross-Site Scripting (XSS)

Cross-Site Scripting is a type of attack where malicious code is injected into the browser of an unsuspecting user, giving the attacker full control over the user’s session.
XSS is typically implemented by using a malicious web resource that tricks a browser into loading it as a response to an innocuous request from the victim. This means that your application could be vulnerable to this risk just by being visited by an otherwise benign page on your website, or even if someone simply clicks on a link to it.
If you’re not sure whether or not your site is vulnerable, you can use Webmock to check for it and assess whether or not you need to make any changes.

Timeline

Published on: 01/10/2022 20:15:00 UTC
Last modified on: 02/09/2022 14:17:00 UTC

References

• https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406
• https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0155