3

I am running CheckMarx scan for one of my project and it comes with a SSRF vulnerability for one of the input string parameters of a method. My method is something like below and SSRF vulnerability is thrown for parameter param1.

public String method1(@WebParam(name = "param1") final String param1) {
    LOG.info("Inside method1...")
    if (StringUtils.isBlank(param1) || !StringUtils.isAlphanumeric(param1)) {
        throw new DataManipulationException();
    }
    // Call 3rd party here (method in line 87 below)
}

Inside the method I am calling a 3rd party URL with HttpClient GetMethod with param1 passed as a query string parameter.

SSRF from CheckMarx is:

The application sends a request to a remote server, for some resource, using @DestinationElement in \src\com\test\Test.java:87. However, an attacker can control the target of the request, by sending a URL or other data in param1 at \src\com\test\Test.java:55.

At line 55, I have

public String method1(@WebParam(name = "param1") final String param1) {

And at Line 87 I have

private String processRequest(final GetMethod method) throws IOException {

Any help to resolve this SSRF vulnerability is appreciated. Thank you.

Prasann
  • 1,263
  • 2
  • 11
  • 18
  • So? What is your question? Or are you just bragging :D. Also your question is missing most of the relevant code... Anyway I'm sure the Checkmarx report also has explanation and recommendations? – AviD Jun 20 '17 at 13:29
  • My question was how to fix this SSRF vulnerability – Prasann Jun 21 '17 at 13:36
  • For String request , i think this will be the [best solution](https://stackoverflow.com/a/58271734). – shankar dayal Dec 13 '19 at 13:56

1 Answers1

1

To confirm SSRF vulnerability, code snippet of processRequest method is also required. As far as I understand, CheckMarx reported the issue as "param1" should contain third party URL and which is being used by the application. There could be following possibilities to mitigate SSRF risk:

  • Do you require third party library to execute function? If No, then you can safely remove that code.
  • If you require third party and URL remains same then you can hard-code that URL.
  • If you cannot hard-code and it keeps changing then can you list out possible third party URLs? All possible third party URLs must be reviewed manually and perform white-listing to allow the URLs which is required. OR All possible URLs should be inserted to the file/database on back-end and user can pass the id of that particular URL.
  • If URLs keep changing every time and there is no way to white-list, you should prevent the method which cannot harm the application further. In this case, snippet code of method is required and method should be reviewed properly.
Savan Gadhiya
  • 305
  • 1
  • 6