Found Origin IP's lead to access to gitlab

HackerOne report #1637577 by m-narayanan on 2022-07-15, assigned to @kmorrison1:

Report | Attachments | How To Reproduce

Report

Description:

I have discovered that the https://35.237.2.165/users/sign_in site exposed it's IP which could allow bypassing of anti-DDoS mechanisms i.e you are using Cloudflare for protection.

By using these IP address as a resolver instead of the intended addresses I'm able to access the service without going through the WAF, thus I'm able to forward unfiltered payloads to the service, as well as avoiding the common protections offered by Cloudflare, also being able to perform crippling denial-of-service towards the origin.

Suggestion:

My recommendations fall in line with Cloudflare's own guidelines: the Origin server must communicate exclusively with Cloudflare's IP address ranges, otherwise--as reported in this post on Cloudflare's blog, the protection offered by having a reverse proxy basically becomes useless.

IP

35.237.2.165

Files Attached

Impact

As any adversary is now able to communicate with the origin server directly, enabling them to perform unfiltered attacks (such as denial-of-service), and data retrieval.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_(199).png

How To Reproduce

Please add reproducibility information to this section: