SSRF: send arbitrary POST requests into local networks
HackerOne report #1037411 by yvvdwf
on 2020-11-18, assigned to @dcouture:
Report
Hello,
Prometheus integration service allows to issue any POST requests into local network.
Steps to reproduce
- In any existing project (or create a new one), goto Settings/Intergrations/Prometheus
- Setting the following parameters:
- Active: check
- API URL:
https://gitlab.com
(or any url) - Google IAP Audience Client ID:
test
(or any string) - Google IAP Service Account JSON:
{"token_credential_uri": "http://localhost:1234/arbitrary-query?x=y", "private_key": 512}
- Click "Test" button, gitlab will hit
localhost:1234
(e.g., open a web server at port 1234 to receive the requests)
Impact
The SSRF allows attackers to issue arbitrary POST requests into local network. The impact will be different, depending on which services are running on the local network. For example, if there exists a docker daemon that is listening on localhost:2375, then attackers may read any files by issuing a POST request to build an image from remote dockerfile. With your permission, I will try to discover gitlab.com .
Output of checks
This bug happens on GitLab.com
Impact
The SSRF allows attackers to issue arbitrary POST requests into local network. The impact will be different, depending on which services are running on the local network. For example, if there exists a docker daemon that is listening on localhost:2375, then attackers may read any files by issuing a POST request to build an image from remote dockerfile. With your permission, I will try to discover gitlab.com .
How To Reproduce
Please add reproducibility information to this section: