Hemmelig Webhook URL Validation Vulnerability Allowing Server-Side Request Forgery

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Hemmelig messaging app, prior to version 7.3.3. The issue arises in the webhook URL validation for the Secret Requests feature, where the application fails to properly block internal IP addresses. This flaw can be exploited using DNS rebinding or open redirect services, allowing authenticated users to make the server send HTTP requests to internal network resources.

Impact

Exploitation of this vulnerability bypasses the application's SSRF protection, potentially allowing access to internal network resources. However, the vulnerability is classified as Blind SSRF, meaning there is no direct response reflected back to the user. With certain techniques, such as response-timing analysis, it may still be possible to infer the status of internal ports.

Reproduction

To reproduce this vulnerability, log in to the Hemmelig application and navigate to the Secret Requests tab. Create a new request and enter a webhook URL that bypasses the SSRF filter, such as one using DNS rebinding (e.g., localtest.me) or an open redirect service (e.g., httpbin.org/redirect-to). Once the request is saved, the server will initiate a request to the internal resource, which can be confirmed by monitoring the target service.

Remediation

Users are advised to update to Hemmelig version 7.3.3 or later, where this vulnerability has been patched.