mtrudel Bandit Transport-State Spoofing Vulnerability in HTTP Connections

A vulnerability in the mtrudel Bandit web server in Elixir allows unauthenticated transport-state spoofing over unencrypted HTTP connections. The issue arises because the 'determine_scheme/2' function in 'lib/bandit/pipeline.ex' blindly accepts client-supplied URI schemes, disregarding the actual security state of the transport. This flaw can be exploited by sending HTTP/1.1 absolute-form request targets or HTTP/2 :scheme pseudo-headers, both of which are controlled by the attacker. As a result, Bandit may incorrectly set the connection scheme to 'https', even when no TLS was established. This misrepresentation can lead to various downstream issues, such as bypassing security redirects, improperly handling secure cookies, and misrecording audit logs.

Impact

Exploitation of this vulnerability causes the application to misinterpret a plaintext HTTP connection as secure, with 'conn.scheme' incorrectly set to ':https'. This can disrupt security measures that rely on accurate scheme representation, such as HTTP to HTTPS redirects, secure cookie transmission, and proper audit logging.

Reproduction

The vulnerability can be reproduced by sending a plaintext HTTP/1.1 request with an absolute-form target that includes 'https://'. Bandit will incorrectly acknowledge the connection as secure by setting 'conn.scheme' to ':https'. This can be automated with a script that interacts with a Bandit server running on a plaintext TCP connection.

Remediation

Users can upgrade to Bandit version 1.11.0 or later, where this vulnerability has been fixed.