What is the name for this type of URL attack?

Question

Say a PHP page accepts URL path as a POST parameter (like the answer to this question):

$path = $_POST['url_path'];

file_get_contents('http://example.com' . $path);

A maliicious user POSTs url_path as @evil.com/stuff.html.

As the code takes the user input and appends it without a delimiter to end the username section (e.g. ?, /), $path ends up as:

http://example.com@evil.com/stuff.html

which means username example.com accessing http://evil.com/stuff.html.

Is there already a specific name for this type of attack? The closest I found was Semantic URL attack, however this seems more syntaxic. It appears to be a type of URL obfuscation, however as it is on the server and not visible to the end-user in the address bar it is a slightly different type of attack to Phishing.

Note: The code is also vulnerable to other types of domain manipulation such as appending something to change the interpretation to another top level domain (e.g. POSTing .uk to change example.co). So on that basis I would just call it a general string concatenation flaw rather than an attack specifically relating to URLs - however, I'd like to put this out to the floor.

Remote file inclusion? http://en.wikipedia.org/wiki/File_inclusion_vulnerability#Remote_File_Inclusion — AlexH, Feb 12 '15 at 09:26
Including the file as executable script is not a requirement of the scenario. — SilverlightFox, Feb 12 '15 at 09:28
HTTP Request Smuggling? http://projects.webappsec.org/w/page/13246928/HTTP%20Request%20Smuggling — cengizUzun, Feb 12 '15 at 17:57

score 4 · Accepted Answer · edited Jun 23 '16 at 20:03

4

Server Side Request Forgery (SSRF) where the server makes a web request to a user controlled URL. MITRE has assigned this as CWE-918.

edited Jun 23 '16 at 20:03

james.garriss

123
6

answered Feb 13 '15 at 11:52

wireghoul

5,745
2
17
26

What is the name for this type of URL attack?

1 Answers1

Linked