Server-Side Request Forgery in Java by URLConnection Method
Vulnerability Description
Server Request Forgery (Server-Side Request Forgery). The vulnerabilities are caused by attackers constructing attack requests and transmitting them to the server for execution. Generally, it is used to detect data over the Internet or attack intranet services.
SSRF Vulnerability
Server-Side Request Forgery (SSRF) is simply an attack where the server will make a request (act like a proxy) for the attacker either to a local or to a remote source and then return a response containing the data resulting from the request.
SSRF Illustration
We can say that the concept of SSRF is the same as using a proxy or VPN where the user will make a request to a certain resource, then the proxy or VPN Server will make a request to that resource, then return the results to the user who made the request.
From SSRF, various things can be done, such as:
- Local/Remote Port Scan
- Local File Read (using file://)
- Interact with internal apps/service/network
- RCE by chaining services on the internal network
- Read Metadata Cloud (AWS, Azure, Google Cloud, Digital Ocean, etc)
- Reflected XSS/CSRF
- Internet ip address/port scan
- Server sensitive data reading
- Exploit application vulnerabilities on internal hosts
- Exploit internal website vulnerabilities
SSRF vulnerabilities
- The Social sharing function: obtain the title of the hyperlink and other content for display.
- Image loading/downloading: for example, click to download an image to a local device in a rich text editor.
- image/article collection function: mainly uses the title and text content in the URL as a display for a good experience.
- The develop platform interface testing tools: some companies will open some of their own interfaces to form third-party interfaces. At this time, they usually develop a web to test whether their interfaces are connected, and test the interfaces for these programmers. If they are not filtered properly, ssrf will be caused.
Related Classes
// Looking for ssrf in code audit // there is a simple method // Search for this class, or inherit from this class, or it is right if it has a similar function to this class java.net.URLConnection
Check Who Inherits The URLConnection Method
Java SSRF
Supported pseudo protocols
file
FTP
http
https
jar
mailto
netdoc
file
FTP
http
https
jar
mailto
netdoc
SSRF Vulnerability Exploitation
URLConnection: can take various protocols supported in java, such as file HttpURLConnection: Only use HTTP or HTTPS protocol
URLConnection-Read Files
import java.net.URL;
import java.net.URLConnection;
import java.io.BufferedReader;
import java.io.InputStreamReader;
public class SsrfTest {
public static void main(String[] args) {
try {
// exploit point
String url = "https://www.baidu.com";
// instantiate the object of the url
URL u = new URL(url);
//Open a URL connection and run the client to access the resource.
URLConnection connection = u.openConnection();
connection.connect();
connection.getInputStream();
StringBuilder response = new StringBuilder();
//Get the resource in the url
BufferedReader in = new BufferedReader(
new InputStreamReader(connection.getInputStream(), "UTF-8"));
String line;
while ((line = in.readLine()) != null) {
response.append(line + "\n");
}
in.close();
System.out.print(response.toString());
} catch (Exception e) {
e.printStackTrace();
}
}
}
// How to use: // // use http/https to access the site // If the access is successful, the data will be returned // E.g: // String url = "https://www.baidu.com"; // Use http/https to detect the port // When the accessed port is opened, it will return quickly, if it is not opened, it will be delayed for a while // E.g: // String url = "https://127.0.0.1:8080"; // String url = "https://127.0.0.1:6379"; // View the file using the file protocol // If the access is successful, the data will be returned // E.g: // String url = "file://C:/Windows/win.ini"; // String url = "file:///etc/passwd";
HttpURLConnection-Internet Detection
import java.net.URL;
import java.net.URLConnection;
import java.net.HttpURLConnection;
import java.io.BufferedReader;
import java.io.InputStreamReader;
public class SsrfTest {
public static void main(String[] args) {
try {
// exploit point
String url = "https://www.baidu.com";
//Instantiate the object of the url
URL u = new URL(url);
// Open a URL connection and run the client to access the resource.
URLConnection urlConnection = u.openConnection();
// Forced to HttpURLConnection
HttpURLConnection httpUrl = (HttpURLConnection) urlConnection;
StringBuilder response = new StringBuilder();
// Get the resource in the url
BufferedReader in = new BufferedReader(
new InputStreamReader(httpUrl.getInputStream(), "UTF-8"));
String line;
while ((line = in.readLine()) != null) {
response.append(line);
}
in.close();
System.out.println(response);
} catch (Exception e) {
e.printStackTrace();
}
}
}
// How to use: // // use http/https to access the site // If the access is successful, the data will be returned // E.g: // String url = "https://www.baidu.com"; // Use http/https to detect the port // When the accessed port is opened, it will return quickly, if it is not opened, it will be delayed for a while // E.g: // String url = "https://127.0.0.1:8080"; // String url = "https://127.0.0.1:6379";
The Actual Combat
When you want to find ssrf, you can find out whether the input points of these classes are externally controllable
URL.openStream URLConnection HttpURLConnection HttpURLConnection.connect HttpURLConnection.getInputStream HttpClient HttpClient.execute HttpClient.executeMethod HttpRequest HttpRequest.get HttpRequest.post HttpRequest.put HttpRequest.delete HttpRequest.head HttpRequest.options HttpRequest.trace okhttp = Request request = new Request.Builder().url([trigger point]).build();
