Gangmax Blog

Some network security issues in web application

SSRF

SSRF means “Server-side Request Forgery”(from here). If a web application provides user input URL resource support, SSRF is possible. This may leak server’s information and the web server may be used to do attacking.

In the case I get, a user can give any URL to the web application, and the web application will send HTTP request to the given URL. If the target web application of the URL return a “302” redirect response and the target of the “302” response is an IP address inside of the web application intranet, this will cause security issue. To fix it, the web application which send the HTTP request to auser given URL should disable request redirect like described here.

The following Python3 script can start an HTTP server which returns “302” for inbound HTTP requests:

httpserver.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# http://stackoverflow.com/questions/2506932/how-do-i-forward-a-request-to-a-different-url-in-python

import http.server
import socketserver

class myHandler(http.server.SimpleHTTPRequestHandler):
   def do_GET(self):
       self.send_response(302)
       self.send_header('Location','http://www.google.com')
       self.end_headers()

port = 4000
Handler = myHandler
server = socketserver.TCPServer(("", port), Handler)

print("Python based web server. Serving at port", port)
server.serve_forever()

XSS

XSS means “Cross Site Scripting”(using “X” to replace “C” to differentiate “Cascade Style Sheet”). If a web application accept use
r input string and use the string in its HTML page rendering, such issue may happen.

In the case I get, a user can give an URL like below:

1
https://example.com/apply/init?productId=1;alert(document.cookie);//&approveStatus=3

If the server side does not handle the user input correctly, such as concatenating the productId into the output html page directly and inside a Javascript snippet, the injected “alert(document.cookie)” expression will be executed inside the user’s browser. Further more, if the content can be published, like a post of BBS, this will affect all the users of the web application. To avoid this issue, a web application should be very careful about any user input and handle it carefully.

Return URL

In many cases, a web application supports such “return URL” feature:

1
https://example.com/developerExpand/initDeveloperExpand?productId=1&returnUrl=https://www.phishing.site/?productId=1

That means after finishing some operation, the web application wants to make the browser go to the “returnURL”. If this feature support a outside URL of the web application, it will cause such an issue: an attacker can make a URL with a “returnUrl” which is a phishing website and share the link to the other users, the users may be attacked. To fix this issue, a whitelist of URL should be maintained and checked before making user’s browser redirect to the “returnUrl”.

No permission check

Imaging you web application has the following URL:

1
https://example.com/edit?productId=1

If the server side code just uses the “productId” to query DB directly without any permission check like whether the current user has permission to do this operation, this will make any user be able to edit any product in the system. To fix such issue, use something like servlet filter or Spring interceptor to perform the permission check before doing the actual work.

Comments