You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Hi team,
We found lighthouse-audit-service that use by Backstage as plugin can be use to send http request to arbitrary URL.
yes lighthouse is being use to do audit website, but it's dangerous because it can be use to send http request to internal network including http call to GCP metadata server to obtain sensitive information such as oauth token.
To Reproduce
prepare a server that will be audited, this server will be redirect to desire internal endpoint.
sample redirect handler
send audit request to audit and add addtional parameter ExtraHeaders so everytime lighthouse-audit-service send http request the addtional header will be included,
here is the image that can explain more
when audit done , we can fetch the response of internal http call captured in variable final-screenshot
GCP or any cloud provider has protection to prevent SSRF by add header validation, but since the lighthouse-audit-service allow parameter ExtraHeaders so attacker can add any header they want.
and as mentioned in the README.md that this project built by Backstage in mind so we reported it you Backstage but after dicussion with the Backstage team he refer us to report to spotify/lighthouse-audit-service
Thank you
The text was updated successfully, but these errors were encountered:
Describe the bug
Hi team,
We found lighthouse-audit-service that use by Backstage as plugin can be use to send http request to arbitrary URL.
yes lighthouse is being use to do audit website, but it's dangerous because it can be use to send http request to internal network including http call to GCP metadata server to obtain sensitive information such as oauth token.
To Reproduce
sample redirect handler
here is the image that can explain more
GCP or any cloud provider has protection to prevent SSRF by add header validation, but since the lighthouse-audit-service allow parameter ExtraHeaders so attacker can add any header they want.
and as mentioned in the README.md that this project built by Backstage in mind so we reported it you Backstage but after dicussion with the Backstage team he refer us to report to spotify/lighthouse-audit-service
Thank you
The text was updated successfully, but these errors were encountered: