diff --git a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java index cb58bd63d..fecb3efa2 100644 --- a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java +++ b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java @@ -22,6 +22,8 @@ package org.owasp.webgoat.lessons.ssrf; +import io.github.pixee.security.HostValidator; +import io.github.pixee.security.Urls; import java.io.IOException; import java.io.InputStream; import java.net.MalformedURLException; @@ -48,7 +50,7 @@ public AttackResult completed(@RequestParam String url) { protected AttackResult furBall(String url) { if (url.matches("http://ifconfig.pro")) { String html; - try (InputStream in = new URL(url).openStream()) { + try (InputStream in = Urls.create(url, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS).openStream()) { html = new String(in.readAllBytes(), StandardCharsets.UTF_8) .replaceAll("\n", "
"); // Otherwise the \n gets escaped in the response