I. The Principle and Harm of SSRF Vulnerability
SSRF (Server-Side Request Forgery) Server-Side Request Forgery vulnerability, attackers can construct malicious requests to make the server initiate unexpected network requests, which may lead to the following risks:
Accessing internal sensitive systems (such as databases, management background)
Port scanning to detect internal network services
Reading local files through file protocol (file://)
Forming chained attacks with other vulnerabilities (such as XXE+SSRF)
This article introduces SSRF from the perspective of java code auditing
Example of Spring MVC HttpURLConnection Vulnerability
Complete vulnerability code
import org.springframework.web.bind.annotation.*;
import java.net.*;
import java.io.*;
@RestController
public class VulnerableController {
@GetMapping("/request")
public String requestUrl(@RequestParam("url") String urlString) throws IOException {
URL url = new URL(urlString); // The root cause of the vulnerability: using unverified user input directly
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestMethod("GET");
// Read response content
StringBuilder response = new StringBuilder();
try (BufferedReader in = new BufferedReader(
new InputStreamReader(conn.getInputStream()))) {
String inputLine;
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
}
return response.toString();
}
}
Vulnerability Execution Flow Analysis
Attack Entry:Attacker Access
/request?url=http://attacker.comEndpointParameter Injection:
urlStringParameters directly receive user input (such ashttp://192.168.1.1:8080)Establish Connection:
new URL(urlString)Instantiated URL object without any validationurl.openConnection()Create an actual connection based on the protocol (supports HTTP/HTTPS/FTP, etc.)
Initiate Request:
conn.getInputStream()Trigger Network RequestData Leakage:Read the response content and return it to the attacker
Vulnerability Exploitation Scenario
GET /request?url=file:///etc/passwd HTTP/1.1
GET /request?url=http://169.254.169.254/latest/meta-data/ HTTP/1.1 # AWS Metadata
Example of Apache HttpClient Vulnerability
Complete vulnerability code
import org.apache.http.client.methods.*;
import org.apache.http.impl.client.*;
@GetMapping("/apacheRequest")
public String apacheRequest(String url) throws Exception {
try (CloseableHttpClient client = HttpClients.createDefault()) {
HttpGet request = new HttpGet(url); // Vulnerability point: directly use user input
try (CloseableHttpResponse response = client.execute(request)) {
return EntityUtils.toString(response.getEntity());
}
}
}
Vulnerability trigger path
Request construction:
HttpGetDirectly use unfiltered URL parametersprotocol support: Default support
http/https/ftp/fileand other protocolsAttack example:
// Detect Redis service
client.execute(new HttpGet("http://127.0.0.1:6379"))
// Read local file
client.execute(new HttpGet("file:///C:/Windows/win.ini"))
4. OkHttpClient Vulnerability Example
Complete vulnerability code
import okhttp3.*;
@GetMapping("/okHttpRequest")
public String okHttpRequest(String inputUrl) throws IOException {
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
.url(inputUrl) // Vulnerability core: unverified URL input
.build();
try (Response response = client.newCall(request).execute()) {
return response.body().string();
}
}
vulnerability exploitation characteristics
protocol processingSupports
http/https/ftp/file/jarand other protocolsBypass techniques:
// Use 302 redirect to bypass whitelist detection
.url("http://safe.com/redirect?target=http://internal")
// Use non-standard port
.url
评论已关闭