Opened 9 months ago

Closed 9 months ago

#28727 closed defect (fixed)

Remove `broker` and `relay` query string parameters from Snowflake proxy

Reported by: dcf Owned by:
Priority: High Milestone:
Component: Circumvention/Snowflake Version:
Severity: Normal Keywords: easy
Cc: dcf, arlolra Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The browser proxy allows overriding the default broker and relay using query string parameters. This is a security vulnerability because it can turn browser proxies into a DoS vector against some third party. An attacker only has to get a massive number of browsers to visit a URL like https://snowflake.example/embed.html?broker=https://victim.example and those browsers will start sending HTTPS requests to victim.example.

This same vulnerability existed in flash proxy; here are the commits removing the feature there:

Child Tickets

Attachments (1)

0001-Bug-28727-remove-broker-and-relay-query-string-param.patch (1.9 KB) - added by dcf 9 months ago.

Download all attachments as: .zip

Change History (6)

comment:1 Changed 9 months ago by dcf

Keywords: easy added

comment:2 Changed 9 months ago by dcf

Status: newneeds_review

ok?

comment:3 in reply to:  2 Changed 9 months ago by arlolra

Replying to dcf:

ok?

sure, lgtm

comment:4 Changed 9 months ago by dcf

Merged and deployed to https://snowflake.torproject.org/.

comment:5 Changed 9 months ago by dcf

Resolution: fixed
Status: needs_reviewclosed
Note: See TracTickets for help on using tickets.