Summary This is a security advisory for a bug that I discovered in Resolv::getaddresses that enabled me to bypass multiple Server-Side Request Forgery filters. Applications such as GitLab and HackerOne were affected by this bug. The disclosure of all reports referenced in this advisory follow HackerOne’s Vulnerability Disclosure Guidelines. This bug was assigned CVE-2017-0904. Vulnerability Details Resolv::getaddresses is OS-dependent, therefore by playing around with different IP formats o...
