Security: SafeWebhookUrl DNS rebinding vulnerability #17
Description
Description
The SafeWebhookUrl validation rule resolves DNS at validation time, but the actual HTTP request happens later. This creates a Time-Of-Check-Time-Of-Use (TOCTOU) vulnerability where an attacker could use DNS rebinding to bypass SSRF protections.
Location
src/Core/Rules/SafeWebhookUrl.php:196-227
Attack Scenario
- Attacker sets up a malicious domain with a short TTL
- First DNS lookup returns a public IP (passes validation)
- TTL expires, second lookup returns 127.0.0.1 or internal IP
- Webhook request goes to internal service
Recommended Fixes
- Re-resolve and validate DNS immediately before making the HTTP request (not just at validation time)
- Pin the resolved IP and use it directly for the connection
- Use a custom HTTP client that validates resolved IPs before connecting
- Consider implementing a pinned DNS resolver or using the IP directly
Additional Mitigations
- Block requests with very short TTLs
- Implement a webhook proxy service that performs validation at request time
- Use network-level controls (firewall rules) as defense in depth
Severity
Medium - Requires attacker to control a domain with short TTL DNS, but could lead to SSRF attacks against internal services.