Server-Side Request Forgery in Java by URLConnection Method - Tutorial Boy -->

Server-Side Request Forgery in Java by URLConnection Method


Vulnerability Description 

Server Request Forgery (Server-Side Request Forgery). The vulnerabilities are caused by attackers constructing attack requests and transmitting them to the server for execution. Generally, it is used to detect data over the Internet or attack intranet services. 

SSRF Vulnerability

Server-Side Request Forgery (SSRF) is simply an attack where the server will make a request (act like a proxy) for the attacker either to a local or to a remote source and then return a response containing the data resulting from the request.

SSRF Illustration


We can say that the concept of SSRF is the same as using a proxy or VPN where the user will make a request to a certain resource, then the proxy or VPN Server will make a request to that resource, then return the results to the user who made the request.

From SSRF, various things can be done, such as:
  • Local/Remote Port Scan
  • Local File Read (using file://)
  • Interact with internal apps/service/network
  • RCE by chaining services on the internal network
  • Read Metadata Cloud (AWS, Azure, Google Cloud, Digital Ocean, etc)
  • Reflected XSS/CSRF
  • Internet ip address/port scan
  • Server sensitive data reading
  • Exploit application vulnerabilities on internal hosts 
  • Exploit internal website vulnerabilities 

SSRF vulnerabilities 

  • The Social sharing function: obtain the title of the hyperlink and other content for display. 
  • Image loading/downloading: for example, click to download an image to a local device in a rich text editor. 
  • image/article collection function: mainly uses the title and text content in the URL as a display for a good experience.
  • The develop platform interface testing tools: some companies will open some of their own interfaces to form third-party interfaces. At this time, they usually develop a web to test whether their interfaces are connected, and test the interfaces for these programmers. If they are not filtered properly, ssrf will be caused. 

Related Classes

// Looking for ssrf in code audit
// there is a simple method
// Search for this class, or inherit from this class, or it is right if it has a similar function to this class
java.net.URLConnection

Check Who Inherits The URLConnection Method


Java SSRF

            Supported pseudo protocols
file
FTP
http
https
jar
mailto
netdoc

SSRF Vulnerability Exploitation

URLConnection: can take various protocols supported in java, such as file
HttpURLConnection: Only use HTTP or HTTPS protocol

URLConnection-Read Files

import java.net.URL;
import java.net.URLConnection;

import java.io.BufferedReader;
import java.io.InputStreamReader;

public class SsrfTest {
    public static void main(String[] args) {
        try {
            // exploit point
            String url = "https://www.baidu.com";
            // instantiate the object of the url
            URL u = new URL(url);
            //Open a URL connection and run the client to access the resource.
            URLConnection connection = u.openConnection();
            connection.connect();
            connection.getInputStream();

            StringBuilder response = new StringBuilder();
            //Get the resource in the url
            BufferedReader in = new BufferedReader(
                new InputStreamReader(connection.getInputStream(), "UTF-8"));

            String line;
            while ((line = in.readLine()) != null) {
                response.append(line + "\n");
            }
            in.close();

            System.out.print(response.toString());
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

// How to use:
//
// use http/https to access the site
// If the access is successful, the data will be returned
// E.g: 
// String url = "https://www.baidu.com";

// Use http/https to detect the port
// When the accessed port is opened, it will return quickly, if it is not opened, it will be delayed for a while
// E.g: 
// String url = "https://127.0.0.1:8080";
// String url = "https://127.0.0.1:6379";

// View the file using the file protocol
// If the access is successful, the data will be returned
// E.g: 
// String url = "file://C:/Windows/win.ini";
// String url = "file:///etc/passwd";

HttpURLConnection-Internet Detection

import java.net.URL;
import java.net.URLConnection;
import java.net.HttpURLConnection;

import java.io.BufferedReader;
import java.io.InputStreamReader;

public class SsrfTest {
    public static void main(String[] args) {
        try {
            // exploit point
            String url = "https://www.baidu.com";
            //Instantiate the object of the url
            URL u = new URL(url);
            // Open a URL connection and run the client to access the resource.
            URLConnection urlConnection = u.openConnection();
            // Forced to HttpURLConnection
            HttpURLConnection httpUrl = (HttpURLConnection) urlConnection;

            StringBuilder response = new StringBuilder();
            // Get the resource in the url
            BufferedReader in = new BufferedReader(
                    new InputStreamReader(httpUrl.getInputStream(), "UTF-8"));

            String line;
            while ((line = in.readLine()) != null) {
                response.append(line);
            }
            in.close();

            System.out.println(response);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

// How to use:
//
// use http/https to access the site
// If the access is successful, the data will be returned
// E.g: 
// String url = "https://www.baidu.com";

// Use http/https to detect the port
// When the accessed port is opened, it will return quickly, if it is not opened, it will be delayed for a while
// E.g: 
// String url = "https://127.0.0.1:8080";
// String url = "https://127.0.0.1:6379";

The Actual Combat

When you want to find ssrf, you can find out whether the input points of these classes are externally controllable

URL.openStream

URLConnection

HttpURLConnection
HttpURLConnection.connect
HttpURLConnection.getInputStream

HttpClient
HttpClient.execute
HttpClient.executeMethod

HttpRequest
HttpRequest.get
HttpRequest.post
HttpRequest.put
HttpRequest.delete
HttpRequest.head
HttpRequest.options
HttpRequest.trace

okhttp = Request request = new Request.Builder().url([trigger point]).build();