[Security] pingrelay: DNS rebinding bypass in forward_url validation #32

New issue

Closed

opened 2026-02-28 03:07:08 +00:00 by ash · 0 comments

ash commented

2026-02-28 03:07:08 +00:00

Owner

Architectural Concern

pingrelay validates forward URLs at create time but DNS resolution happens at forward time. An attacker could:

Set forward_url to https://attacker.com/hook (passes validation)
Change DNS A record for attacker.com to 127.0.0.1
Webhook forwarding now hits localhost

Recommendation

Use a custom DialContext in the HTTP client that resolves DNS and checks the IP against isBlockedIP() before connecting.

Severity

Medium — requires DNS control but well-known SSRF pattern.

Found during red team audit 2026-02-28.

## Architectural Concern pingrelay validates forward URLs at **create time** but DNS resolution happens at **forward time**. An attacker could: 1. Set forward_url to `https://attacker.com/hook` (passes validation) 2. Change DNS A record for attacker.com to `127.0.0.1` 3. Webhook forwarding now hits localhost ### Recommendation Use a custom `DialContext` in the HTTP client that resolves DNS and checks the IP against `isBlockedIP()` before connecting. ### Severity Medium — requires DNS control but well-known SSRF pattern. Found during red team audit 2026-02-28.