-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP redirection attack bypass DNS check #2
Comments
Jesus, that’s clever. AFAIK there’s no way to “automatically” follow redirects at the DNS level, but I’ll look into the best way to resolve this! |
Hmm, it seems like following redirects is really the safest way to go about this (if not the only way). While you could “keep things at the DNS level” and look up CNAME/ALIAS records, in your example it’s not the DNS records of the redirect that’s bad, but rather the DNS record of the redirect destination (i.e. the CNAME is legit, but the 301 on /dns is not). So I don’t see a feasible way to keep this “within” DNS, in which case the solution is simple as you’ve pointed out: just send a HEAD request with the redirect turned on and check the DNS of the destination. In case of multiple redirects, however, if local.urlint.co/dns -> local.urlint.co/dns2 -> $evil_link, do you suppose we can just follow the redirect “all the way” or manually check that every step of the redirect is safe from SSRF? I’m thinking a beforeRedirect hook of got might be a good fit for this. |
Yeah, ok. Running the same check on |
@Kikobeats I can confirm that the issue you pointed out is fixed now with the new version of got-ssrf (v1.2.0 and higher): |
It works like a charm 💯 |
Hello,
This library is fantastic. Thanks for that. I found an attack that is not being covered.
I setup a DNS record on my domain pointing to itself:
Nothing evil there. However, I added a redirection rule to redirect that URL into something evil:
So the library is preventing malicious attacks by checking for the hostname.
https://github.com/JaneJeon/got-ssrf/blob/master/index.js#L35
There the hostname is going to be
'local.urlint.co'
being resolved into a unicast IP address.However, if you interact with the resource, that URL is going to redirect you into the evil URL
That's because we checked the DNS over the hostname but not over the hostname over the location.
Plus, most HTTP clients follow redirects by default (that's the case of
got
and that in fact a good expected behavior).I wrote some code as suggestions to prevent the attack:
However, I don't like it at all, since the
got.head
extra network request needs to be performed. Maybe that could be handle at the DNS level?The text was updated successfully, but these errors were encountered: