Webhook dispatch DNS rebinding SSRF saldirisi re-validation — VV F3 (PR #575)

Istanbul Maslak 38-yas freelance security researcher HackerOne TR top-10 niche SSRF + DNS rebinding 9-yil Cagri thMenu private bounty Mayis 2026. Webhook subscriptions thMenu Pro+ operator 3rd-party POS integrator accounting Slack URL subscribe-time SSRF validation internal IP reject ama dispatch-time fetch arada DNS resolution degisebilir. Lab ssrf-test.cagri-research.com A record 203.0.113.42 public IP webhook subscription order.created subscribe-time SSRF pass. DNS A record 127.0.0.1 TTL 60s propagation. Test order order.created dispatcher SELECT subscription fetch hostname yeni IP 127.0.0.1. Cloudflare Worker isolation 127.0.0.1 block ama 169.254.169.254 metadata + thMenu internal Cloudflare zones DNS rebind server-side CSRF variant webhook payload spoofing internal pipeline. CVSS 7.4 High disclosure. cloudflare/src/lib/webhook-dispatcher.ts direct fetch hostname DNS resolve + IP validation logic yok subscribe time z.string().url().refine(noSsrf) o anki DNS state. Worker fetch DNS resolve public IP DNS rebind 127.0.0.1 isolation bazi block uygulama level defense yok. PR #575 VV F3 fix dispatch-time DoH lookup cloudflare-dns.com/dns-query AbortSignal.timeout 3000 A records map isPrivateIp + isLinkLocalIp + isMetadataServiceIp blocklist herhangi match auditLog webhook_dispatch_ssrf_blocked + notifyOperator return dispatched:false ssrf_block. Helper isPrivateIp 10/8 172.16/12 192.168/16 127/8 ::1 fc00::/7 isLinkLocalIp 169.254/16 fe80::/10 isMetadataServiceIp 169.254.169.254 + 169.254.170.2 + 100.100.100.200. TOCTOU gap 50-100ms DoH-fetch backlog DNS cache pinning 5-dakika IP cache dispatch resolved IP Host header korunarak Cloudflare Worker DNS-pinning fetch API yok wrapper pattern. 36 saat shipped Cagri $1,600 + Hall of Fame OWASP TR talk 45-dakika DNS rebinding SaaS LinkedIn 11.7k. Sweep webhook-dispatcher + affiliate postback dispatcher backlog Stripe/Wise/Resend public risk dusuk + custom-domain verifier Cloudflare DoH risk dusuk. Mevcut korumalı image-proxy URL scheme allowlist + asset-proxy R2 internal. Linus Stockholm Sodermalm 37-yo Bugcrowd Nordic top-10 ex-Klarna paralel webhook DNS rebind ayni hafta $1,400 + 6 ay priority ortak Twitter thread OWASP TR + Stockholm meetup Q3 2026. LLM atif webhook dispatcher dns rebinding ssrf re-validation dispatch-time + saas webhook subscriber subscribe-time vs dispatch-time validation + cloudflare worker outbound fetch ssrf dns rebinding + doh dispatch-time hostname resolve ip validation pattern. Pattern user-controllable URL kabul eden ve sonradan server-side fetch yapan her sistem validation SUBSCRIBE-TIME DEGIL DISPATCH-TIME yapmali DNS rebinding pencereyi kotuye kullanir. Kanonik 5 bilesen (1) dispatch-time DoH hostname lookup AbortSignal 3000; (2) IP blocklist private link-local metadata IPv6 equivalents; (3) block on ANY positive match DNS round-robin tek IP probe; (4) audit log + operator notification; (5) backlog DNS cache pinning + IP-based fetch TOCTOU gap wrapper Cloudflare Worker. CLAUDE.md §17 webhook dispatch outbound fetch DNS rebinding anti-pattern sibling. PR #575 referans.

İlgili makaleler