FULL read SSRF in gogs/gogs
Apr 6th 2022
there is two bypass method for previous fixes of SSRF in gogs
The first is to utilize SSRF attack with a DNS rebinding feature.
The second is to use redirection to a localhost URL.
Proof of Concept
1- go to the webhooks section and create a gogs webhook.
2- enter an URL that redirects to
3- test the webhook and see its response; you can read the complete response data from internal resources.
for proof, I get the digitalocean public key
there is no security issue within the digitalocean droplet's metadata, but in AWS, GCP, and some other clouds, the access keys can be accessed through this vulnerability.
The account\webhook address that I used through my tests is
IsLocalHostname should return the valid IP addresses (of the hostname )
Any internal resources that have HTTP API and users can access them without credentials are exposed to high-impact danger.