How to Protect URLs from SSRF Threats in Java
Learn how to check URLs for standard and HTML embedded Server-Side Request Forgery attacks using APIs in Java.
CORE
·
Join the DZone community and get the full member experience.
Join For FreeServer-side request forgery (SSRF) attacks are yet another form of cyber-crime, and they are designed to specifically target a server by sending back-end requests from vulnerable web applications. These attacks can threaten not only servers, but other connected confidential information such as cloud services in AWS, Azure, and OpenStack as well. They can be especially challenging to battle since they are generally used to target internal systems protected by firewalls that are inaccessible from the external network; by directing these strikes, the attacker has the potential to gain full or partial control of the requests sent by a web application.
There are multiple approaches that the malicious user may take in a typical SSRF attack; a frequently seen example is by inducing the server to create a connection back to itself or external third-party services. From here, the attacker can seize control of the third-party service URL to which the web application makes a request. Other examples include making requests to internal resources, running port scans on internal IPs, and more. These attacks exploit relationships that your server has built, inciting trust only to strike the vulnerable application and carry out their own agenda.
Our main goal in today’s demonstration is to provide you with a few APIs that can assist in detecting SSRF attacks, ensuring your server remains safe from these inconspicuous threats.
To kick things off, we will install the Maven SDK by adding a jitpack reference to the repository:
<repositories>
<repository>
<id>jitpack.io</id>
<url>https://jitpack.io</url>
</repository>
</repositories>Then, we will add a reference to the dependency:
<dependencies>
<dependency>
<groupId>com.github.Cloudmersive</groupId>
<artifactId>Cloudmersive.APIClient.Java</artifactId>
<version>v3.90</version>
</dependency>
</dependencies>The first function we will cover is how to test if a single URL contains an SSRF threat; this can be useful for automatically testing URLs that are uploaded to your application or website. Below is some example code that will show how to structure the API call:
// Import classes:
//import com.cloudmersive.client.invoker.ApiClient;
//import com.cloudmersive.client.invoker.ApiException;
//import com.cloudmersive.client.invoker.Configuration;
//import com.cloudmersive.client.invoker.auth.*;
//import com.cloudmersive.client.DomainApi;
ApiClient defaultClient = Configuration.getDefaultApiClient();
// Configure API key authorization: Apikey
ApiKeyAuth Apikey = (ApiKeyAuth) defaultClient.getAuthentication("Apikey");
Apikey.setApiKey("YOUR API KEY");
// Uncomment the following line to set a prefix for the API key, e.g. "Token" (defaults to null)
//Apikey.setApiKeyPrefix("Token");
DomainApi apiInstance = new DomainApi();
UrlSsrfRequestFull request = new UrlSsrfRequestFull(); // UrlSsrfRequestFull | Input URL request
try {
UrlSsrfResponseFull result = apiInstance.domainSsrfCheck(request);
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling DomainApi#domainSsrfCheck");
e.printStackTrace();
}In order for the operation to run smoothly, you will need to input the following parameters:
- Input URL Request - the URL you wish to scan for threats – example code below:
{
"URL": "string",
"BlockedDomains": [
"string"
]
}- API Key – your personal API key; this can be retrieved by registering for a free account on the Cloudmersive website.
Our next function performs the same scan, except you can input multiple URLs and run them as a batch request:
// Import classes:
//import com.cloudmersive.client.invoker.ApiClient;
//import com.cloudmersive.client.invoker.ApiException;
//import com.cloudmersive.client.invoker.Configuration;
//import com.cloudmersive.client.invoker.auth.*;
//import com.cloudmersive.client.DomainApi;
ApiClient defaultClient = Configuration.getDefaultApiClient();
// Configure API key authorization: Apikey
ApiKeyAuth Apikey = (ApiKeyAuth) defaultClient.getAuthentication("Apikey");
Apikey.setApiKey("YOUR API KEY");
// Uncomment the following line to set a prefix for the API key, e.g. "Token" (defaults to null)
//Apikey.setApiKeyPrefix("Token");
DomainApi apiInstance = new DomainApi();
UrlSsrfRequestBatch request = new UrlSsrfRequestBatch(); // UrlSsrfRequestBatch | Input URL request as a batch of multiple URLs
try {
UrlSsrfResponseBatch result = apiInstance.domainSsrfCheckBatch(request);
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling DomainApi#domainSsrfCheckBatch");
e.printStackTrace();
}For our last function, we will protect against a different way attackers can deploy SSRF attacks; by injecting them into HTML. This approach provides an opening to access unsafe local or network paths in the server environment. The following API can be used to automatically detect the threats from HTML text:
// Import classes:
//import com.cloudmersive.client.invoker.ApiClient;
//import com.cloudmersive.client.invoker.ApiException;
//import com.cloudmersive.client.invoker.Configuration;
//import com.cloudmersive.client.invoker.auth.*;
//import com.cloudmersive.client.DomainApi;
ApiClient defaultClient = Configuration.getDefaultApiClient();
// Configure API key authorization: Apikey
ApiKeyAuth Apikey = (ApiKeyAuth) defaultClient.getAuthentication("Apikey");
Apikey.setApiKey("YOUR API KEY");
// Uncomment the following line to set a prefix for the API key, e.g. "Token" (defaults to null)
//Apikey.setApiKeyPrefix("Token");
DomainApi apiInstance = new DomainApi();
UrlHtmlSsrfRequestFull request = new UrlHtmlSsrfRequestFull(); // UrlHtmlSsrfRequestFull | Input URL request
try {
UrlHtmlSsrfResponseFull result = apiInstance.domainUrlHtmlSsrfCheck(request);
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling DomainApi#domainUrlHtmlSsrfCheck");
e.printStackTrace();
}By utilizing one or a combination of these functions, you can provide your server with superior protection against SSRF threats.
Opinions expressed by DZone contributors are their own.
Comments