How to Check a URL for High-Risk or Vulnerable Paths in Java
Check if the input URL or relative path is a server administration path by using an API in Java.
Join the DZone community and get the full member experience.Join For Free
Whether you rely on them for business or personal use, it’s safe to say that we interact with URLs on a daily basis. They are our gateway to provide and access information across the web, and due to their universal nature, they are constantly scrutinized by attackers for security vulnerabilities. One type of risk that can be difficult to identify is if your URL is a server administration path; if it is, it could become a potential target for remote access attacks. To clarify, server administration paths are high-risk URLs that can be used in web applications or databases to specify the set of directories that are accessed. While these are very common and easy-to-use, they can provide a window for malicious users to exploit and access directories that should be off-limits.
These vulnerability windows generally occur when a web developer has made an error while constructing the access model for an application or site. For example, let’s say a user submits a request to view a public file in a web browser that uses a GET request URL method; when the file is retrieved, the user could apply educated guesswork to access other files in the directory by posing as an admin. Now, this attacker has the ability to execute commands and exploit confidential information. Instead of performing manual tests on your URLs or paths for this vulnerability, we will be discussing how you can use the following API in Java to automatically check your paths for this risk and avoid the repercussions of an attack.
First, we will need to install the SDK library for Maven by adding a Jitpack reference to the repository in pom.xml:
Then, add a reference to the dependency:
With the installation complete, we are ready to add our imports to the top of the controller and call the validation function:
In order to ensure the operation runs smoothly you will need to input the following parameters:
- Value - the URL or relative path to check, e.g. "/admin/login". The input is a string so be sure to enclose it in double-quotes.
- API key – your personal API key; this is free on the Cloudmersive website and will provide access to 800 monthly calls across our entire library of APIs.
This will return a confirmation of whether the indicated URL or path is a server administration path. With this function, you can guard against the errors that would allow this type of vulnerability to occur.
Opinions expressed by DZone contributors are their own.