Java代码审计中的SSRF漏洞深度解析<\/h1>

一、SSRF漏洞原理与危害<\/h2>

1.1 SSRF定义<\/h3>
SSRF(Server-Side Request Forgery)即服务端请求伪造漏洞，攻击者通过构造恶意请求使服务端发起非预期的网络请求。<\/p>

1.2 主要危害<\/h3>

访问内部敏感系统（如数据库、管理后台）<\/li>
端口扫描探测内网服务<\/li>
通过文件协议(file:\/\/)读取本地文件<\/li>

与其他漏洞形成链式攻击（如XXE+SSRF组合攻击）<\/li> <\/ul>

二、Java中常见的SSRF漏洞场景<\/h2>

2.1 Spring MVC HttpURLConnection漏洞<\/h3>

漏洞代码示例<\/h4>

import<\/span> org.springframework.web.bind.annotation.*;<\/span>
<\/span><\/span>import<\/span> java.net.*;<\/span>
<\/span><\/span>import<\/span> java.io.*;<\/span>
<\/span><\/span>
<\/span><\/span>@RestController<\/span>
<\/span><\/span>public<\/span> class<\/span> VulnerableController<\/span> {<\/span>
<\/span><\/span>    @GetMapping<\/span>(<\/span>"\/request"<\/span>)<\/span>
<\/span><\/span>    public<\/span> String requestUrl<\/span>(<\/span>@RequestParam<\/span>(<\/span>"url"<\/span>)<\/span> String urlString)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        URL url =<\/span> new<\/span> URL(<\/span>urlString);<\/span> \/\/ 漏洞根源:直接使用未校验的用户输入
<\/span><\/span><\/span><\/span>        HttpURLConnection conn =<\/span> (<\/span>HttpURLConnection)<\/span> url.<\/span>openConnection<\/span>();<\/span>
<\/span><\/span>        conn.<\/span>setRequestMethod<\/span>(<\/span>"GET"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 读取响应内容
<\/span><\/span><\/span><\/span>        StringBuilder response =<\/span> new<\/span> StringBuilder();<\/span>
<\/span><\/span>        try<\/span> (<\/span>BufferedReader in =<\/span> new<\/span> BufferedReader(<\/span>
<\/span><\/span>            new<\/span> InputStreamReader(<\/span>conn.<\/span>getInputStream<\/span>())))<\/span> {<\/span>
<\/span><\/span>            String inputLine;<\/span>
<\/span><\/span>            while<\/span> ((<\/span>inputLine =<\/span> in.<\/span>readLine<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>                response.<\/span>append<\/span>(<\/span>inputLine);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> response.<\/span>toString<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞执行流程分析<\/h4>

攻击入口<\/strong>：攻击者访问\/request?url=http:\/\/attacker.com<\/code>端点<\/li>
参数注入<\/strong>：urlString<\/code>参数直接接收用户输入(如http:\/\/192.168.1.1:8080<\/code>)<\/li>
建立连接<\/strong>：new URL(urlString)<\/code>未做任何校验即实例化URL对象<\/li>
发起请求<\/strong>：conn.getInputStream()<\/code>触发网络请求<\/li>
数据泄露<\/strong>：读取响应内容并返回给攻击者<\/li>
<\/ol>
典型利用场景<\/h4>
GET \/request?url=file:\/\/\/etc\/passwd HTTP\/1.1
GET \/request?url=http:\/\/169.254.169.254\/latest\/meta-data\/ HTTP\/1.1 # AWS元数据
<\/code><\/pre>
2.2 Apache HttpClient漏洞<\/h3>
漏洞代码示例<\/h4>
import<\/span> org.apache.http.client.methods.*;<\/span>
<\/span><\/span>import<\/span> org.apache.http.impl.client.*;<\/span>
<\/span><\/span>
<\/span><\/span>@GetMapping<\/span>(<\/span>"\/apacheRequest"<\/span>)<\/span>
<\/span><\/span>public<\/span> String apacheRequest<\/span>(<\/span>String url)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    try<\/span> (<\/span>CloseableHttpClient client =<\/span> HttpClients.<\/span>createDefault<\/span>())<\/span> {<\/span>
<\/span><\/span>        HttpGet request =<\/span> new<\/span> HttpGet(<\/span>url);<\/span> \/\/ 漏洞点:直接使用用户输入
<\/span><\/span><\/span><\/span>        try<\/span> (<\/span>CloseableHttpResponse response =<\/span> client.<\/span>execute<\/span>(<\/span>request))<\/span> {<\/span>
<\/span><\/span>            return<\/span> EntityUtils.<\/span>toString<\/span>(<\/span>response.<\/span>getEntity<\/span>());<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞触发路径<\/h4>

请求构造<\/strong>：HttpGet<\/code>直接使用未过滤的URL参数<\/li>
协议支持<\/strong>：默认支持http<\/code>\/https<\/code>\/ftp<\/code>\/file<\/code>等协议<\/li>
<\/ol>
攻击示例<\/h4>
\/\/ 探测Redis服务
<\/span><\/span><\/span><\/span>client.<\/span>execute<\/span>(<\/span>new<\/span> HttpGet(<\/span>"http:\/\/127.0.0.1:6379"<\/span>))<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 读取本地文件
<\/span><\/span><\/span><\/span>client.<\/span>execute<\/span>(<\/span>new<\/span> HttpGet(<\/span>"file:\/\/\/C:\/Windows\/win.ini"<\/span>))<\/span>
<\/span><\/span><\/code><\/pre>2.3 OkHttpClient漏洞<\/h3>
漏洞代码示例<\/h4>
import<\/span> okhttp3.*;<\/span>
<\/span><\/span>
<\/span><\/span>@GetMapping<\/span>(<\/span>"\/okHttpRequest"<\/span>)<\/span>
<\/span><\/span>public<\/span> String okHttpRequest<\/span>(<\/span>String inputUrl)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>    OkHttpClient client =<\/span> new<\/span> OkHttpClient();<\/span>
<\/span><\/span>    Request request =<\/span> new<\/span> Request.<\/span>Builder<\/span>()<\/span>
<\/span><\/span>        .<\/span>url<\/span>(<\/span>inputUrl)<\/span> \/\/ 漏洞核心:未校验的URL输入
<\/span><\/span><\/span><\/span>        .<\/span>build<\/span>();<\/span>
<\/span><\/span>    try<\/span> (<\/span>Response response =<\/span> client.<\/span>newCall<\/span>(<\/span>request).<\/span>execute<\/span>())<\/span> {<\/span>
<\/span><\/span>        return<\/span> response.<\/span>body<\/span>().<\/span>string<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞利用特征<\/h4>

协议处理<\/strong>：支持http<\/code>\/https<\/code>\/ftp<\/code>\/file<\/code>\/jar<\/code>等协议<\/li>
绕过技巧<\/strong>：<\/li>
<\/ol>
\/\/ 使用302跳转绕过白名单检测
<\/span><\/span><\/span><\/span>.<\/span>url<\/span>(<\/span>"http:\/\/safe.com\/redirect?target=http:\/\/internal"<\/span>)<\/span>
<\/span><\/span><\/code><\/pre>三、SSRF漏洞防御方案<\/h2>
3.1 输入验证与过滤<\/h3>

白名单校验<\/strong>：只允许访问特定的域名或IP<\/li>
协议限制<\/strong>：禁止file:\/\/<\/code>、ftp:\/\/<\/code>等危险协议<\/li>
URL解析<\/strong>：使用java.net.URI<\/code>代替java.net.URL<\/code>进行更严格的解析<\/li>
<\/ol>
3.2 网络层防护<\/h3>

内网访问限制<\/strong>：禁止访问私有IP段(10.0.0.0\/8, 172.16.0.0\/12, 192.168.0.0\/16)<\/li>
DNS重绑定防护<\/strong>：验证DNS解析结果与请求目标是否一致<\/li>
<\/ol>
3.3 代码实现建议<\/h3>

使用安全的HTTP客户端<\/strong>：配置默认的协议限制<\/li>
响应处理<\/strong>：不将原始响应直接返回给客户端<\/li>
认证与授权<\/strong>：确保服务端请求也经过适当的认证<\/li>
<\/ol>
四、修复代码示例<\/h2>
4.1 Spring MVC安全实现<\/h3>
@GetMapping<\/span>(<\/span>"\/safeRequest"<\/span>)<\/span>
<\/span><\/span>public<\/span> String safeRequest<\/span>(<\/span>@RequestParam<\/span>(<\/span>"url"<\/span>)<\/span> String urlString)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>    \/\/ 白名单校验
<\/span><\/span><\/span><\/span>    if<\/span> (!<\/span>urlString.<\/span>startsWith<\/span>(<\/span>"https:\/\/trusted.com\/"<\/span>))<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> IllegalArgumentException(<\/span>"Invalid URL"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 使用URI进行更严格的解析
<\/span><\/span><\/span><\/span>    URI uri =<\/span> new<\/span> URI(<\/span>urlString);<\/span>
<\/span><\/span>    URL url =<\/span> uri.<\/span>toURL<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 其他安全措施...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.2 Apache HttpClient安全配置<\/h3>
@GetMapping<\/span>(<\/span>"\/safeApacheRequest"<\/span>)<\/span>
<\/span><\/span>public<\/span> String safeApacheRequest<\/span>(<\/span>String url)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    \/\/ 验证URL
<\/span><\/span><\/span><\/span>    if<\/span> (!<\/span>isUrlAllowed(<\/span>url))<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> SecurityException(<\/span>"URL not allowed"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    try<\/span> (<\/span>CloseableHttpClient client =<\/span> HttpClients.<\/span>createDefault<\/span>())<\/span> {<\/span>
<\/span><\/span>        HttpGet request =<\/span> new<\/span> HttpGet(<\/span>url);<\/span>
<\/span><\/span>        \/\/ 设置超时防止SSRF导致的拒绝服务
<\/span><\/span><\/span><\/span>        RequestConfig config =<\/span> RequestConfig.<\/span>custom<\/span>()<\/span>
<\/span><\/span>            .<\/span>setConnectTimeout<\/span>(<\/span>5000<\/span>)<\/span>
<\/span><\/span>            .<\/span>setSocketTimeout<\/span>(<\/span>5000<\/span>)<\/span>
<\/span><\/span>            .<\/span>build<\/span>();<\/span>
<\/span><\/span>        request.<\/span>setConfig<\/span>(<\/span>config);<\/span>
<\/span><\/span>        
<\/span><\/span>        try<\/span> (<\/span>CloseableHttpResponse response =<\/span> client.<\/span>execute<\/span>(<\/span>request))<\/span> {<\/span>
<\/span><\/span>            return<\/span> sanitizeResponse(<\/span>EntityUtils.<\/span>toString<\/span>(<\/span>response.<\/span>getEntity<\/span>()));<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>五、高级攻击场景<\/h2>
5.1 云服务元数据利用<\/h3>
http:\/\/169.254.169.254\/latest\/meta-data\/ # AWS
http:\/\/metadata.google.internal\/computeMetadata\/v1\/ # GCP
http:\/\/100.100.100.200\/latest\/meta-data\/ # Alibaba Cloud
<\/code><\/pre>
5.2 组合攻击<\/h3>

XXE+SSRF<\/strong>：通过XML外部实体注入触发SSRF<\/li>
SSRF+Redis<\/strong>：利用SSRF攻击内网Redis服务<\/li>
SSRF+CRLF<\/strong>：结合CRLF注入构造更复杂的攻击<\/li>
<\/ol>
六、审计要点总结<\/h2>

查找网络请求点<\/strong>：搜索URL<\/code>、HttpURLConnection<\/code>、HttpClient<\/code>等关键字<\/li>
检查输入来源<\/strong>：确认URL参数是否来自用户可控输入<\/li>
验证过滤逻辑<\/strong>：检查是否有完整的URL验证机制<\/li>
测试协议支持<\/strong>：尝试file:\/\/<\/code>、ftp:\/\/<\/code>等非HTTP协议<\/li>
尝试绕过技巧<\/strong>：测试重定向、DNS重绑定等绕过方法<\/li>
<\/ol>
通过全面理解SSRF漏洞的原理、实现方式和防御措施，开发人员和安全审计人员可以更有效地识别和防范这类安全风险。<\/p>

Java代码审计中的SSRF漏洞深度解析<\/h1>

一、SSRF漏洞原理与危害<\/h2>

1.1 SSRF定义<\/h3> SSRF(Server-Side Request Forgery)即服务端请求伪造漏洞，攻击者通过构造恶意请求使服务端发起非预期的网络请求。<\/p>

二、Java中常见的SSRF漏洞场景<\/h2>

2.1 Spring MVC HttpURLConnection漏洞<\/h3>

2.2 Apache HttpClient漏洞<\/h3>

2.3 OkHttpClient漏洞<\/h3>

三、SSRF漏洞防御方案<\/h2>

四、修复代码示例<\/h2>

五、高级攻击场景<\/h2>

1.1 SSRF定义<\/h3>
SSRF(Server-Side Request Forgery)即服务端请求伪造漏洞，攻击者通过构造恶意请求使服务端发起非预期的网络请求。<\/p>