From d89aad635456b4338879fe84e2d7b4ba19effce1 Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <23113631+pixeebot@users.noreply.github.com>
Date: Tue, 2 Jan 2024 22:16:17 +0000
Subject: [PATCH] Sandboxed URL creation to prevent SSRF attacks
---
pom.xml | 10 ++++++++++
.../java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java | 4 +++-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 15851ec3b..391b1b799 100644
--- a/pom.xml
+++ b/pom.xml
@@ -146,6 +146,7 @@
1.4.5
1.5.2
+ 1.1.1
@@ -248,6 +249,11 @@
jruby
9.3.6.0
+
+ io.github.pixee
+ java-security-toolkit
+ ${versions.java-security-toolkit}
+
@@ -393,6 +399,10 @@
rest-assured
test
+
+ io.github.pixee
+ java-security-toolkit
+
diff --git a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
index cb58bd63d..fecb3efa2 100644
--- a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
+++ b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
@@ -22,6 +22,8 @@
package org.owasp.webgoat.lessons.ssrf;
+import io.github.pixee.security.HostValidator;
+import io.github.pixee.security.Urls;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
@@ -48,7 +50,7 @@ public AttackResult completed(@RequestParam String url) {
protected AttackResult furBall(String url) {
if (url.matches("http://ifconfig.pro")) {
String html;
- try (InputStream in = new URL(url).openStream()) {
+ try (InputStream in = Urls.create(url, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS).openStream()) {
html =
new String(in.readAllBytes(), StandardCharsets.UTF_8)
.replaceAll("\n", "
"); // Otherwise the \n gets escaped in the response