SSRF Full Attack Demo on the web application for Pinewooodstore

Techtalkpine > Cybersecurity > SSRF Full Attack Demo on the web application for Pinewooodstore

In this blog we are going to discuss Server-Side Request Forgery (SSRF) and demo how the exploitation is carried out on the vulnerable web application called PinewoodStore. We would also analyze the vulnerable code found in the PinewoodStore web application and a secure implementation using an allowlist of trusted hosts.

Server-Side Request Forgery (SSRF)

1. What is SSRF?

Server-Side Request Forgery (SSRF) is a security vulnerability that allows an attacker to make unauthorized requests from a server. This can lead to data exfiltration, internal network access, and even Remote Code Execution (RCE) in some cases.

Example SSRF Attack Scenarios

  1. Internal Network Access – Attackers exploit SSRF to reach internal systems (http://localhost, http://169.254.169.254/) that should not be publicly accessible.
  2. Cloud Metadata Exploitation – Attackers retrieve AWS or Google Cloud credentials from http://169.254.169.254/latest/meta-data/.
  3. Bypassing Firewalls – The application makes requests from the backend, which may have broader access than the attacker’s client.

2. Vulnerable SSRF Code in PinewoodStore

The following vulnerable implementation exists in the PinewoodStore web application:

@RestController
@CrossOrigin(origins = {"http://localhost:3000","http://192.168.1.80:3000"}) // Adjust based on your frontend URL
public class UrlFetchController {

    @PostMapping("/fetch-data")
    public String fetchData(@RequestBody String url) {
        try {
            // Directly using user-provided URL (Vulnerable to SSRF)
            System.out.println(url);
            
            String newUrl = url.replace("\"", ""); // Unsafe way to sanitize URL
            System.out.println(newUrl);

            URL targetUrl = new URL(newUrl);
            HttpURLConnection connection = (HttpURLConnection) targetUrl.openConnection();
            connection.setRequestMethod("GET");

            InputStream inputStream = connection.getInputStream();
            return new String(inputStream.readAllBytes(), StandardCharsets.UTF_8);
        } catch (Exception e) {
            return "Error fetching data: " + e.getMessage();
        }
    }
}

Why This Code is Vulnerable?

Directly Accepts User Input – The URL comes from an untrusted source and is processed without validation.
Can Access Internal Networks – Attackers can supply http://localhost:8080/admin or http://169.254.169.254/latest/meta-data/ to reach sensitive resources.
Potential for Unauthorized Data Access – The application fetches data and returns it without restricting where the request is made.

3. Secure Implementation Using an Allowlist

To mitigate SSRF, an allowlist of trusted domains should be enforced. The secure version of the fetchData method ensures that requests are only sent to allowed hosts.

Secure Implementation

@RestController
@CrossOrigin(origins = {"http://localhost:3000","http://192.168.1.80:3000"}) // Adjust based on your frontend URL
public class SecureUrlFetchController {

    // Allow only trusted domains
    private static final List<String> ALLOWED_HOSTS = Arrays.asList("pinewoodstore.com", "api.pinewoodstore.com");

    @PostMapping("/fetch-data")
    public String fetchData(@RequestBody String url) {
        try {
            // Parse URL
            URL targetUrl = new URL(url.replace("\"", ""));
            String host = targetUrl.getHost();

            // Validate host against the allowlist
            if (!ALLOWED_HOSTS.contains(host)) {
                return "Blocked: Untrusted host!";
            }

            HttpURLConnection connection = (HttpURLConnection) targetUrl.openConnection();
            connection.setRequestMethod("GET");

            InputStream inputStream = connection.getInputStream();
            return new String(inputStream.readAllBytes(), StandardCharsets.UTF_8);
        } catch (MalformedURLException e) {
            return "Invalid URL!";
        } catch (Exception e) {
            return "Error fetching data: " + e.getMessage();
        }
    }
}

How This Fixes SSRF?

Uses an Allowlist – The host of the requested URL must match "pinewoodstore.com" or "api.pinewoodstore.com".
Blocks Requests to Internal Networks – Attackers cannot reach localhost, 169.254.169.254, or internal services.
Rejects Malformed URLs – Prevents exploitation via tricky URL formats.

4. Additional SSRF Protections

🔹 Block Private IP Ranges: Ensure the host isn’t an internal IP (192.168.x.x, 10.x.x.x, 127.0.0.1).
🔹 Use DNS Resolution Verification: Prevent attackers from bypassing allowlists using DNS rebinding.
🔹 Limit Redirects: Prevent open redirects that could bypass domain validation.

I have uploaded the demo video on my YouTube page @GamefiedHacking and the link has been shared below.

I

Cybersecurity, Firewall Configuration, Hacking, Java coding, Penetration Testing, Source Code Analysis, Spring boot, Vulnerability Management
Tags , , , , ,

About the Author

Pinewoodtech

You may also like these