SSRF means “Server-side Request Forgery”(from here). If a web application provides user input URL resource support, SSRF is possible. This may leak server’s information and the web server may be used to do attacking.
In the case I get, a user can give any URL to the web application, and the web application will send HTTP request to the given URL. If the target web application of the URL return a “302” redirect response and the target of the “302” response is an IP address inside of the web application intranet, this will cause security issue. To fix it, the web application which send the HTTP request to auser given URL should disable request redirect like described here.
The following Python3 script can start an HTTP server which returns “302” for inbound HTTP requests:
XSS means “Cross Site Scripting”(using “X” to replace “C” to differentiate “Cascade Style Sheet”). If a web application accept use
r input string and use the string in its HTML page rendering, such issue may happen.
In the case I get, a user can give an URL like below:
In many cases, a web application supports such “return URL” feature:
That means after finishing some operation, the web application wants to make the browser go to the “returnURL”. If this feature support a outside URL of the web application, it will cause such an issue: an attacker can make a URL with a “returnUrl” which is a phishing website and share the link to the other users, the users may be attacked. To fix this issue, a whitelist of URL should be maintained and checked before making user’s browser redirect to the “returnUrl”.
Imaging you web application has the following URL:
If the server side code just uses the “productId” to query DB directly without any permission check like whether the current user has permission to do this operation, this will make any user be able to edit any product in the system. To fix such issue, use something like servlet filter or Spring interceptor to perform the permission check before doing the actual work.