In this blog we are going to discuss Server-Side Request Forgery (SSRF) and demo how the exploitation is carried out on the vulnerable web application called PinewoodStore. We would also analyze the vulnerable code found in the PinewoodStore web application and a secure implementation using an allowlist of trusted hosts.
Server-Side Request Forgery (SSRF)
1. What is SSRF?
Server-Side Request Forgery (SSRF) is a security vulnerability that allows an attacker to make unauthorized requests from a server. This can lead to data exfiltration, internal network access, and even Remote Code Execution (RCE) in some cases.
Example SSRF Attack Scenarios
- Internal Network Access β Attackers exploit SSRF to reach internal systems (
http://localhost,http://169.254.169.254/) that should not be publicly accessible. - Cloud Metadata Exploitation β Attackers retrieve AWS or Google Cloud credentials from
http://169.254.169.254/latest/meta-data/. - Bypassing Firewalls β The application makes requests from the backend, which may have broader access than the attackerβs client.
2. Vulnerable SSRF Code in PinewoodStore
The following vulnerable implementation exists in the PinewoodStore web application:
@RestController
@CrossOrigin(origins = {"http://localhost:3000","http://192.168.1.80:3000"}) // Adjust based on your frontend URL
public class UrlFetchController {
@PostMapping("/fetch-data")
public String fetchData(@RequestBody String url) {
try {
// Directly using user-provided URL (Vulnerable to SSRF)
System.out.println(url);
String newUrl = url.replace("\"", ""); // Unsafe way to sanitize URL
System.out.println(newUrl);
URL targetUrl = new URL(newUrl);
HttpURLConnection connection = (HttpURLConnection) targetUrl.openConnection();
connection.setRequestMethod("GET");
InputStream inputStream = connection.getInputStream();
return new String(inputStream.readAllBytes(), StandardCharsets.UTF_8);
} catch (Exception e) {
return "Error fetching data: " + e.getMessage();
}
}
}
Why This Code is Vulnerable?
β Directly Accepts User Input β The URL comes from an untrusted source and is processed without validation.
β Can Access Internal Networks β Attackers can supply http://localhost:8080/admin or http://169.254.169.254/latest/meta-data/ to reach sensitive resources.
β Potential for Unauthorized Data Access β The application fetches data and returns it without restricting where the request is made.
3. Secure Implementation Using an Allowlist
To mitigate SSRF, an allowlist of trusted domains should be enforced. The secure version of the fetchData method ensures that requests are only sent to allowed hosts.
Secure Implementation
@RestController
@CrossOrigin(origins = {"http://localhost:3000","http://192.168.1.80:3000"}) // Adjust based on your frontend URL
public class SecureUrlFetchController {
// Allow only trusted domains
private static final List<String> ALLOWED_HOSTS = Arrays.asList("pinewoodstore.com", "api.pinewoodstore.com");
@PostMapping("/fetch-data")
public String fetchData(@RequestBody String url) {
try {
// Parse URL
URL targetUrl = new URL(url.replace("\"", ""));
String host = targetUrl.getHost();
// Validate host against the allowlist
if (!ALLOWED_HOSTS.contains(host)) {
return "Blocked: Untrusted host!";
}
HttpURLConnection connection = (HttpURLConnection) targetUrl.openConnection();
connection.setRequestMethod("GET");
InputStream inputStream = connection.getInputStream();
return new String(inputStream.readAllBytes(), StandardCharsets.UTF_8);
} catch (MalformedURLException e) {
return "Invalid URL!";
} catch (Exception e) {
return "Error fetching data: " + e.getMessage();
}
}
}
How This Fixes SSRF?
β
Uses an Allowlist β The host of the requested URL must match "pinewoodstore.com" or "api.pinewoodstore.com".
β
Blocks Requests to Internal Networks β Attackers cannot reach localhost, 169.254.169.254, or internal services.
β
Rejects Malformed URLs β Prevents exploitation via tricky URL formats.
4. Additional SSRF Protections
πΉ Block Private IP Ranges: Ensure the host isn’t an internal IP (192.168.x.x, 10.x.x.x, 127.0.0.1).
πΉ Use DNS Resolution Verification: Prevent attackers from bypassing allowlists using DNS rebinding.
πΉ Limit Redirects: Prevent open redirects that could bypass domain validation.
I have uploaded the demo video on my YouTube page @GamefiedHacking and the link has been shared below.
