Server-Side Request Forgery in Java by URLConnection Method

Vulnerability Description

SSRF Vulnerability

We can say that the concept of SSRF is the same as using a proxy or VPN where the user will make a request to a certain resource, then the proxy or VPN Server will make a request to that resource, then return the results to the user who made the request.

From SSRF, various things can be done, such as:

From SSRF, various things can be done, such as:

  • Local/Remote Port Scan
  • Local File Read (using file://)
  • Interact with internal apps/service/network
  • RCE by chaining services on the internal network
  • Read Metadata Cloud (AWS, Azure, Google Cloud, Digital Ocean, etc)
  • Reflected XSS/CSRF
  • Internet ip address/port scan
  • Server sensitive data reading
  • Exploit application vulnerabilities on internal hosts
  • Exploit internal website vulnerabilities

SSRF vulnerabilities

  • The Social sharing function: obtain the title of the hyperlink and other content for display.
  • Image loading/downloading: for example, click to download an image to a local device in a rich text editor.
  • image/article collection function: mainly uses the title and text content in the URL as a display for a good experience.
  • The develop platform interface testing tools: some companies will open some of their own interfaces to form third-party interfaces. At this time, they usually develop a web to test whether their interfaces are connected, and test the interfaces for these programmers. If they are not filtered properly, ssrf will be caused.

Related Classes

// Looking for ssrf in code audit // there is a simple method // Search for this class, or inherit from this class, or it is right if it has a similar function to this class java.net.URLConnection

Check Who Inherits The URLConnection Method

Java SSRF

Supported pseudo protocols

FTP

http

https

jar

mailto

netdoc

SSRF Vulnerability Exploitation

URLConnection: can take various protocols supported in java, such as file
HttpURLConnection: Only use HTTP or HTTPS protocol

SSRF Vulnerability Exploitation

URLConnection-Read Files

import java.net.URL;
import java.net.URLConnection;
import java.io.BufferedReader;
import java.io.InputStreamReader;
public class SsrfTest {
public static void main(String[] args) {
try {
// exploit point
String url = "https://www.baidu.com";
// instantiate the object of the url
URL u = new URL(url);
//Open a URL connection and run the client to access the resource.
URLConnection connection = u.openConnection();
connection.connect();
connection.getInputStream();
StringBuilder response = new StringBuilder();
//Get the resource in the url
BufferedReader in = new BufferedReader(
new InputStreamReader(connection.getInputStream(), "UTF-8"));
String line;
while ((line = in.readLine()) != null) {
response.append(line + "\n");
}
in.close();
System.out.print(response.toString());
} catch (Exception e) {
e.printStackTrace();
}
}
}
// How to use:
//
// use http/https to access the site
// If the access is successful, the data will be returned
// E.g:
// String url = "https://www.baidu.com";
// Use http/https to detect the port
// When the accessed port is opened, it will return quickly, if it is not opened, it will be delayed for a while
// E.g:
// String url = "https://127.0.0.1:8080";
// String url = "https://127.0.0.1:6379";
// View the file using the file protocol
// If the access is successful, the data will be returned
// E.g:
// String url = "file://C:/Windows/win.ini";
// String url = "file:///etc/passwd";

HttpURLConnection-Internet Detection

import java.net.URL;
import java.net.URLConnection;
import java.net.HttpURLConnection;
import java.io.BufferedReader;
import java.io.InputStreamReader;
public class SsrfTest {
public static void main(String[] args) {
try {
// exploit point
String url = "https://www.baidu.com";
//Instantiate the object of the url
URL u = new URL(url);
// Open a URL connection and run the client to access the resource.
URLConnection urlConnection = u.openConnection();
// Forced to HttpURLConnection
HttpURLConnection httpUrl = (HttpURLConnection) urlConnection;
StringBuilder response = new StringBuilder();
// Get the resource in the url
BufferedReader in = new BufferedReader(
new InputStreamReader(httpUrl.getInputStream(), "UTF-8"));
String line;
while ((line = in.readLine()) != null) {
response.append(line);
}
in.close();
System.out.println(response);
} catch (Exception e) {
e.printStackTrace();
}
}
}
// How to use:
//
// use http/https to access the site
// If the access is successful, the data will be returned
// E.g:
// String url = "https://www.baidu.com";
// Use http/https to detect the port
// When the accessed port is opened, it will return quickly, if it is not opened, it will be delayed for a while
// E.g:
// String url = "https://127.0.0.1:8080";
// String url = "https://127.0.0.1:6379";

The Actual Combat

When you want to find ssrf, you can find out whether the input points of these classes are externally controllableURL.openStreamURLConnectionHttpURLConnection
HttpURLConnection.connect
HttpURLConnection.getInputStream
HttpClient
HttpClient.execute
HttpClient.executeMethod
HttpRequest
HttpRequest.get
HttpRequest.post
HttpRequest.put
HttpRequest.delete
HttpRequest.head
HttpRequest.options
HttpRequest.trace
okhttp = Request request = new Request.Builder().url([trigger point]).build();

Originally published at https://tutorialboy24.blogspot.com

--

--

Our mission is to get you into information security. We'll introduce you to penetration testing and Red Teaming. We cover network testing, Active Directory.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
TutorialBoy

TutorialBoy

120 Followers

Our mission is to get you into information security. We'll introduce you to penetration testing and Red Teaming. We cover network testing, Active Directory.