Added supplementary ssrf endpoint

ScaleSec · Feb 21, 2019 · 10857dc · 10857dc
1 parent 5a3712c
commit 10857dc
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 14 deletions.
diff --git a/exercises/03-ssrf.md b/exercises/03-ssrf.md
@@ -42,6 +42,8 @@ Once you have this list try to execute a SSRF attack against the endpoint `/link
   ]
   ```
 
-  **Followup question:** How would we validate the url that is being passed into this function?
+  **Followup question:**
+  1. How would we validate the url that is being passed into this function?
+  2. Use the `/links-v2` and see if you can still break it.
 
 </details>
diff --git a/src/main/java/com/scalesec/vulnado/LinkLister.java b/src/main/java/com/scalesec/vulnado/LinkLister.java
@@ -7,20 +7,32 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.io.IOException;
+import java.net.*;
 
 
 public class LinkLister {
-  public static List<String> getLinks(String url) {
+  public static List<String> getLinks(String url) throws IOException {
     List<String> result = new ArrayList<String>();
+    Document doc = Jsoup.connect(url).get();
+    Elements links = doc.select("a");
+    for (Element link : links) {
+      result.add(link.absUrl("href"));
+    }
+    return result;
+  }
+
+  public static List<String> getLinksV2(String url) throws BadRequest {
     try {
-      Document doc = Jsoup.connect(url).get();
-      Elements links = doc.select("a");
-      for (Element link : links) {
-        result.add(link.absUrl("href"));
+      URL aUrl= new URL(url);
+      String host = aUrl.getHost();
+      System.out.println(host);
+      if (host.startsWith("172.") || host.startsWith("192.168") || host.startsWith("10.")){
+        throw new BadRequest("Use of Private IP");
+      } else {
+        return getLinks(url);
       }
     } catch(Exception e) {
-      e.printStackTrace();
+      throw new BadRequest(e.getMessage());
     }
-    return result;
   }
 }
diff --git a/src/main/java/com/scalesec/vulnado/LinksController.java b/src/main/java/com/scalesec/vulnado/LinksController.java
@@ -6,13 +6,18 @@
 import org.springframework.boot.autoconfigure.*;
 import java.util.List;
 import java.io.Serializable;
+import java.io.IOException;
+
 
 @RestController
 @EnableAutoConfiguration
 public class LinksController {
-    @CrossOrigin(origins = "*")
-    @RequestMapping(value = "/links", produces = "application/json")
-    List<String> links(@RequestParam String url) {
-        return LinkLister.getLinks(url);
-    }
+  @RequestMapping(value = "/links", produces = "application/json")
+  List<String> links(@RequestParam String url) throws IOException{
+    return LinkLister.getLinks(url);
+  }
+  @RequestMapping(value = "/links-v2", produces = "application/json")
+  List<String> linksV2(@RequestParam String url) throws BadRequest{
+    return LinkLister.getLinksV2(url);
+  }
 }
diff --git a/src/main/resources/super-secret-config.yml b/src/main/resources/super-secret-config.yml