TOR-003 pen-torproject#3: sbws - HTTPS enforcement can be bypassed with subdomains

Technical Description

It was found that the HTTPS enforcement of destination endpoints can be bypassed with subdomains for instance, the URL http://127.0.0.1.radicallyopensecurity.com is valid.

tpo/network-health/sbws/util/config.py

def _validate_url(section, key):
    value = section[key]
    url = urlparse(value)
    [...]
    if url.scheme != 'https' and not url.netloc.startswith('127.0.0.1'):
        return False, 'URL scheme must be HTTPS (except for the test server)'
    return True, ''

Impact

If attackers can configure a URL for a destination endpoint, bypassing HTTPS enforcement and using HTTP traffic is possible. As a result, a man-in-the-middle attack could be performed on the same network, and malicious exit nodes can manipulate HTTP traffic.

Recommendation

It is recommended to replace the second condition with url.hostname == "127.0.0.1" to have an exact match for the allowed URL.

Type

CWE-693: Protection Mechanism Failure

Update

The newly implemented check url.netloc.split(":")[0] != "127.0.0.1" can be bypassed with http://127.0.0.1:@attacker.com. Using the code snippet in the recommended section prevents this kind of bypass.