Java SSRF漏洞分析与防护指南<\/h1>

1. SSRF漏洞概述<\/h2>
SSRF(Server-side Request Forge, 服务端请求伪造)是一种由攻击者构造恶意链接传给服务端执行造成的漏洞，主要用于外网探测或攻击内网服务。<\/p>

2. Java网络请求支持的协议<\/h2>

Java不像PHP有cURL，支持的协议需要通过以下方式检测：<\/p>

代码中遍历协议<\/li>
官方文档查看<\/li>

通过

import sun.net.www.protocol<\/code>查看<\/li>
<\/ul>
Java支持以下协议：<\/p>

file<\/li>
ftp<\/li>
mailto<\/li>
http<\/li>
https<\/li>
jar<\/li>
netdoc<\/li>
<\/ul>
3. Java中发起网络请求的类<\/h2>
3.1 仅支持HTTP\/HTTPS协议的类<\/h3>

HttpClient<\/li>
Request (HttpClient封装类)<\/li>
HttpURLConnection<\/li>
okhttp<\/li>
<\/ul>
3.2 支持所有协议的类<\/h3>

URLConnection<\/li>
URL<\/li>
<\/ul>
4. 典型漏洞代码示例<\/h2>
@RequestMapping<\/span>(<\/span>"\/download"<\/span>)<\/span>
<\/span><\/span>@ResponseBody<\/span>
<\/span><\/span>public<\/span> void<\/span> downLoadImg<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> throws<\/span> IOException{<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        String url =<\/span> request.<\/span>getParameter<\/span>(<\/span>"url"<\/span>);<\/span>
<\/span><\/span>        if<\/span> (<\/span>StringUtils.<\/span>isBlank<\/span>(<\/span>url))<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> IllegalArgumentException(<\/span>"url异常"<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        downLoadImg(<\/span>response,<\/span> url);<\/span>
<\/span><\/span>    }<\/span>catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> IllegalArgumentException(<\/span>"异常"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>private<\/span> void<\/span> downLoadImg<\/span> (<\/span>HttpServletResponse response,<\/span> String url)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>    InputStream inputStream =<\/span> null<\/span>;<\/span>
<\/span><\/span>    OutputStream outputStream =<\/span> null<\/span>;<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        String downLoadImgFileName =<\/span> Files.<\/span>getNameWithoutExtension<\/span>(<\/span>url)+<\/span>"."<\/span>+<\/span>Files.<\/span>getFileExtension<\/span>(<\/span>url);<\/span>
<\/span><\/span>        response.<\/span>setHeader<\/span>(<\/span>"content-disposition"<\/span>,<\/span> "attachment;fileName="<\/span> +<\/span> downLoadImgFileName);<\/span>
<\/span><\/span>        URL u;<\/span>
<\/span><\/span>        int<\/span> length;<\/span>
<\/span><\/span>        byte<\/span>[]<\/span> bytes =<\/span> new<\/span> byte<\/span>[<\/span>1024<\/span>];<\/span>
<\/span><\/span>        u =<\/span> new<\/span> URL(<\/span>url);<\/span>
<\/span><\/span>        inputStream =<\/span> u.<\/span>openStream<\/span>();<\/span>
<\/span><\/span>        outputStream =<\/span> response.<\/span>getOutputStream<\/span>();<\/span>
<\/span><\/span>        while<\/span> ((<\/span>length =<\/span> inputStream.<\/span>read<\/span>(<\/span>bytes))<\/span> ><\/span> 0<\/span>)<\/span> {<\/span>
<\/span><\/span>            outputStream.<\/span>write<\/span>(<\/span>bytes,<\/span> 0<\/span>,<\/span> length);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>    }<\/span>finally<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>inputStream !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            inputStream.<\/span>close<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        if<\/span> (<\/span>outputStream !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            outputStream.<\/span>close<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5. SSRF利用方式<\/h2>
5.1 直接利用<\/h3>


利用file协议读取任意文件：<\/p>
curl -v 'http:\/\/localhost:8080\/download?url=file:\/\/\/etc\/passwd'<\/span>
<\/span><\/span><\/code><\/pre><\/li>

利用http\/https协议进行端口探测<\/p>
<\/li>
<\/ul>
5.2 302跳转尝试<\/h3>
Java对302跳转有以下限制：<\/p>

实际跳转的url必须在支持的协议内<\/li>
传入的url协议必须和重定向的url协议一致<\/li>
<\/ol>
因此无法通过302跳转到gopher协议绕过限制。<\/p>
6. 白盒检测规则<\/h2>
检测以下四种情况的代码：<\/p>

Request类发起请求：<\/li>
<\/ol>
Request.<\/span>Get<\/span>(<\/span>url).<\/span>execute<\/span>()<\/span>
<\/span><\/span><\/code><\/pre>
URL类的openStream方法：<\/li>
<\/ol>
URL u =<\/span> new<\/span> URL(<\/span>url);<\/span>
<\/span><\/span>inputStream =<\/span> u.<\/span>openStream<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>
HttpClient发起请求：<\/li>
<\/ol>
String url =<\/span> "http:\/\/127.0.0.1"<\/span>;<\/span>
<\/span><\/span>CloseableHttpClient client =<\/span> HttpClients.<\/span>createDefault<\/span>();<\/span>
<\/span><\/span>HttpGet httpGet =<\/span> new<\/span> HttpGet(<\/span>url);<\/span>
<\/span><\/span>HttpResponse httpResponse =<\/span> client.<\/span>execute<\/span>(<\/span>httpGet);<\/span>
<\/span><\/span><\/code><\/pre>
URLConnection和HttpURLConnection：<\/li>
<\/ol>
URLConnection urlConnection =<\/span> url.<\/span>openConnection<\/span>();<\/span>
<\/span><\/span>HttpURLConnection urlConnection =<\/span> url.<\/span>openConnection<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>7. 漏洞修复方案<\/h2>
7.1 修复原则<\/h3>

限制协议为HTTP、HTTPS协议<\/li>
禁止URL传入内网IP或设置URL白名单<\/li>
无需限制302重定向<\/li>
<\/ol>
7.2 修复代码实现<\/h3>
添加Guava库依赖（用于获取一级域名）：<\/p>
<dependency><\/span>
<\/span><\/span>    <groupId><\/span>com.google.guava<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>guava<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>21.0<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>验证逻辑：<\/p>
String[]<\/span> urlwhitelist =<\/span> {<\/span>"joychou.org"<\/span>,<\/span> "joychou.me"<\/span>};<\/span>
<\/span><\/span>if<\/span> (!<\/span>securitySSRFUrlCheck(<\/span>url,<\/span> urlwhitelist))<\/span> {<\/span>
<\/span><\/span>    return<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>安全验证函数：<\/p>
public<\/span> static<\/span> Boolean securitySSRFUrlCheck<\/span>(<\/span>String url,<\/span> String[]<\/span> urlwhitelist)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        URL u =<\/span> new<\/span> URL(<\/span>url);<\/span>
<\/span><\/span>        \/\/ 只允许http和https的协议通过
<\/span><\/span><\/span><\/span>        if<\/span> (!<\/span>u.<\/span>getProtocol<\/span>().<\/span>startsWith<\/span>(<\/span>"http"<\/span>)<\/span> &&<\/span> !<\/span>u.<\/span>getProtocol<\/span>().<\/span>startsWith<\/span>(<\/span>"https"<\/span>))<\/span> {<\/span>
<\/span><\/span>            return<\/span> false<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        \/\/ 获取域名,并转为小写
<\/span><\/span><\/span><\/span>        String host =<\/span> u.<\/span>getHost<\/span>().<\/span>toLowerCase<\/span>();<\/span>
<\/span><\/span>        \/\/ 获取一级域名
<\/span><\/span><\/span><\/span>        String rootDomain =<\/span> InternetDomainName.<\/span>from<\/span>(<\/span>host).<\/span>topPrivateDomain<\/span>().<\/span>toString<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        for<\/span> (<\/span>String whiteurl:<\/span> urlwhitelist){<\/span>
<\/span><\/span>            if<\/span> (<\/span>rootDomain.<\/span>equals<\/span>(<\/span>whiteurl))<\/span> {<\/span>
<\/span><\/span>                return<\/span> true<\/span>;<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> false<\/span>;<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        return<\/span> false<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>8. 总结<\/h2>
Java SSRF漏洞的主要特点：<\/p>

支持的协议有限，但包含危险的file协议<\/li>
302跳转有严格限制，难以利用跳转绕过<\/li>
主要风险来自URL和URLConnection类的使用<\/li>
修复方案应结合协议限制和域名白名单<\/li>
<\/ul>
通过严格的协议限制和域名白名单验证，可以有效防护Java应用中的SSRF漏洞。<\/p>

Java SSRF漏洞分析与防护指南<\/h1>

1. SSRF漏洞概述<\/h2> SSRF(Server-side Request Forge, 服务端请求伪造)是一种由攻击者构造恶意链接传给服务端执行造成的漏洞，主要用于外网探测或攻击内网服务。<\/p>

3. Java中发起网络请求的类<\/h2>

5. SSRF利用方式<\/h2>

7. 漏洞修复方案<\/h2>

1. SSRF漏洞概述<\/h2>
SSRF(Server-side Request Forge, 服务端请求伪造)是一种由攻击者构造恶意链接传给服务端执行造成的漏洞，主要用于外网探测或攻击内网服务。<\/p>