Anubis is a Web AI Firewall Utility that challenges users' connections in order to protect upstream resources from scraper bots. Prior to version 1.23.0, when using subrequest authentication, Anubis did not perform validation of the redirect URL and redirects user to any URL scheme. While most modern browsers do not allow a redirect to `javascript:` URLs, it could still trigger dangerous behavior in some cases. Anybody with a subrequest authentication may be affected. Version 1.23.0 contains a fix for the issue.
Anubis Web AI Firewall Utility versions prior to 1.23.0 are vulnerable to a URL redirection vulnerability during subrequest authentication. This flaw allows attackers to potentially redirect users to malicious websites or trigger unintended behavior, leading to information disclosure or client-side exploitation. Successful exploitation could compromise user data or allow for further attacks.
Step 1: Subrequest Authentication Trigger: The attacker identifies a target protected by Anubis and attempts to trigger a subrequest authentication flow.
Step 2: Malicious URL Injection: The attacker crafts a malicious URL, potentially including a javascript: scheme or a URL that redirects to a malicious website, and injects it into the subrequest authentication process. The exact method of injection depends on the specific implementation of the subrequest authentication.
Step 3: Redirect Execution: Anubis, due to the lack of validation, accepts the attacker-controlled URL and redirects the user's browser to the injected URL.
Step 4: Payload Execution (Potential): If the injected URL is a javascript: URL or leads to a vulnerable website, the browser may execute the malicious code, potentially leading to XSS, information disclosure, or other client-side attacks. If the URL redirects to a phishing site, the user may be tricked into providing sensitive information.
The vulnerability stems from insufficient validation of the redirect URL within Anubis's subrequest authentication mechanism. Specifically, the software fails to properly sanitize or validate the destination URL provided during the authentication process. This lack of input validation allows an attacker to inject a malicious URL, potentially including javascript: schemes or other dangerous protocols. The root cause is a missing or inadequate check within the code responsible for handling the redirect, allowing an attacker-controlled URL to be used without proper filtering. This could lead to a cross-site scripting (XSS) attack if the browser allows execution of the injected code or other client-side vulnerabilities. The absence of proper input validation is a common coding error that can lead to various security issues.