Summary
When we examined the fix for the "SSRF Vulnerability on assetlinks_check(act_name, well_knowns)" vulnerability we detected, we saw that it could potentially be bypassed.
Details
Since the requests.get() request in the _check_url method is specified as allow_redirects=True, if "https://mydomain.com/.well-known/assetlinks.json" returns a 302 redirect, subsequent requests will be sent automatically. If the redirect location is "http://192.168.1.102/user/delete/1", a request will be sent here as well.
It will be safer to use allow_redirects=False.
Impact
The attacker can cause the server to make a connection to internal-only services within the organization's infrastructure.
bulutenes Reporter
aydinnyunus Reporter
Summary
When we examined the fix for the "SSRF Vulnerability on assetlinks_check(act_name, well_knowns)" vulnerability we detected, we saw that it could potentially be bypassed.
Details
Since the requests.get() request in the _check_url method is specified as allow_redirects=True, if "https://mydomain.com/.well-known/assetlinks.json" returns a 302 redirect, subsequent requests will be sent automatically. If the redirect location is "http://192.168.1.102/user/delete/1", a request will be sent here as well.
It will be safer to use allow_redirects=False.
Impact
The attacker can cause the server to make a connection to internal-only services within the organization's infrastructure.