Skip to content

Commit

Permalink
Merge pull request #10 from sip49/pixeebot/drip-2024-01-02-pixee-java…
Browse files Browse the repository at this point in the history 
…/sandbox-url-creation

Sandboxed URL creation to prevent SSRF attacks
  • Loading branch information
@sip49
sip49 authored Jan 22, 2024
2 parents 3dbc244 + 25fac0e commit 4e5ad11
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@

package org.owasp.webgoat.lessons.ssrf;

import io.github.pixee.security.HostValidator;
import io.github.pixee.security.Urls;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
Expand All @@ -48,7 +50,7 @@ public AttackResult completed(@RequestParam String url) {
protected AttackResult furBall(String url) {
if (url.matches("http://ifconfig.pro")) {
String html;
try (InputStream in = new URL(url).openStream()) {
try (InputStream in = Urls.create(url, Urls.HTTP_PROTOCOLS, HostValidator.DENY_COMMON_INFRASTRUCTURE_TARGETS).openStream()) {
html =
new String(in.readAllBytes(), StandardCharsets.UTF_8)
.replaceAll("\n", "<br>"); // Otherwise the \n gets escaped in the response
Expand Down

0 comments on commit 4e5ad11

Please sign in to comment.