Blind SSRF in repository mirroring using DNS rebinding
HackerOne report #1462437 by ashish_r_padelkar
on 2022-01-28, assigned to @dcouture:
Report | Attachments | How To Reproduce
Report
Summary
Hello,
I found a Blind SSRF issue in repository mirroring using DNS rebinding.
Steps to reproduce
- Go to
https://lock.cmpxchg8b.com/rebinder.html
and put any ip address in A and 127.0.0.1 in B. - Now login to your project and go to
https://gitlab.com/<NameSpace>/<ProjectName>/-/settings/repository#js-push-remote-settings
- In
Mirroring repositories
put the url generated in step 1 for eghttp://ac41fb4e.7f000001.rbndr.us
inGit repository URL
. - Use
Push
as mirror direction. - It may block several times giving you reason as localhost not allowed(expected as it will switch to localhost in dns rebinding) but keep trying several times till it gets added .
- Once added, use the refresh icon near url several times and after few tries you should see message like below.
- This indicates that request reached localhost but connection got refused as port is closed.
Examples
If you want i can add you in my project for POC where i have already added the urls and you can see the error messages.
https://gitlab.com/[REDACTED]/githubimport/-/settings/repository#js-push-remote-settings
What is the current bug behavior?
Blind SSRF using DNS rebinding
What is the expected correct behavior?
Request should be blocked to localhost !
Output of checks
This bug happens on GitLab.com
Regards,
Ashish
Impact
Blind SSRF in repository mirroring using DNS rebinding
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section:
Steps were explained clearly by the reporter above, also see the video in #353018 (comment 845509652)