New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DefenseAgainstSSRF 设计不合理 #9

Open

hex0wn opened this issue Apr 7, 2020 · 1 comment

Contributor

hex0wn commented Apr 7, 2020

DefenseAgainstSSRF存在2点问题：

getURLInfo可以进行blind ssrf。 getRealIP的逻辑有点奇怪，先进行getURLInfo再根据host解析ip来判断。正常情况应该是先解析ip判断是不是内网，再通过ip（CURLOPT_RESOLVE、CURLOPT_DNS_LOCAL_IP4）进行访问
处理业务逻辑的代码，可以通过dns rebinding绕过校验进行ssrf。建议通过sdk封装方法供业务调用，使用第1步校验的ip来处理业务

^_^ 占个坑，等有空了提pr

jiaowodalang commented Mar 24, 2023

看了下这个ssrf的修复方式，getRealIP会先发起HEAD请求，实测php和spring，GET和HEAD请求的区别只在于HEAD只返回头部信息，接口剩余代码还是会执行，这个就还是可以扫内网

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment