DNS Rebind SSRF in Discord Integration

Problem

As part of https://gitlab.com/gitlab-com/gl-security/engineering/issues/292 it was determined that Slack Notifications are vulnerable to a DNS rebind attack. This type of attack allows an attacker to bypass our SSRF protections by returning a valid IP address during validation, and a restricted/protected address when the actual connection is made.

Steps to Reproduce

1. Setup a netcat listener on port 2345 of the GitLab server
2. Visit Project->Integrations->Discord Notifications
3. Select Active
4. Input as the Webhook http://rebind.gtest.dev:2345
5. Click Test setting and save changes
6. Look for connection in netcat listener
   1. If a connection is not seen or error received, revisit configuration page and save again. Multiple attempts are sometimes needed to trigger attack.

Impact

SSRF protections are bypassed to make connections to internal services. The immediate impact seen is that an attacker can create network connections to internal system.

Mitigation steps

1. The primary mitigation here would be to use a whitelist to only allow URLs containing https://discordapp.com/api/webhooks.

• https://support.discordapp.com/hc/en-us/articles/228383668-Intro-to-Webhooks

Additional notes

There is additional discussion happening around using a dns cacher with minimum TTL requirements DNS TTL. This would be considered a defense-in-depth measure.