Add httpclient SSRF vul code

Author: JoyChou93

java-sec-code.iml

@@ -170,5 +170,6 @@
     <orderEntry type="library" name="Maven: org.springframework:spring-aop:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-security:2.1.5.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: commons-net:commons-net:3.6" level="project" />
+    <orderEntry type="library" name="Maven: commons-httpclient:commons-httpclient:3.1" level="project" />
   </component>
 </module>

pom.xml

@@ -84,6 +84,7 @@
             <artifactId>httpclient</artifactId>
             <version>4.3.6</version>
         </dependency>
+
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
             <artifactId>fluent-hc</artifactId>
@@ -161,6 +162,13 @@
             <version>3.6</version>
         </dependency>
 
+        <!-- HttpClient SSRF -->
+        <dependency>
+            <groupId>commons-httpclient</groupId>
+            <artifactId>commons-httpclient</artifactId>
+            <version>3.1</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>

src/main/java/org/joychou/Application.java

@@ -8,7 +8,7 @@
 import org.springframework.cloud.netflix.eureka.EnableEurekaClient;
 
 
-@ServletComponentScan
+@ServletComponentScan // do filter
 @SpringBootApplication
 // @EnableEurekaClient  // 测试Eureka请打开注释，防止控制台一直有warning
 public class Application extends SpringBootServletInitializer {

src/main/java/org/joychou/CsrfAccessDeniedHandler.java

@@ -14,14 +14,15 @@
 public class CsrfAccessDeniedHandler implements AccessDeniedHandler {
 
     /**
-     * @desc 返回自定义拦截页面
+     * Design csrf access denied page.
+     *
      */
     @Override
     public void handle(HttpServletRequest request, HttpServletResponse response,
                        AccessDeniedException accessDeniedException) throws IOException, ServletException {
         response.setContentType(MediaType.TEXT_HTML_VALUE); // content-type: text/html
         response.setStatus(HttpServletResponse.SC_FORBIDDEN); // 403 forbidden
-        response.getWriter().write("CSRF check failed by JoyChou.");  // response
+        response.getWriter().write("CSRF check failed by JoyChou.");  // response contents
     }
 
 }

src/main/java/org/joychou/controller/SSRF.java

@@ -2,7 +2,10 @@
 
 import com.google.common.io.Files;
 import com.squareup.okhttp.OkHttpClient;
+import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.methods.GetMethod;
 import org.apache.http.HttpResponse;
+import org.apache.http.HttpStatus;
 import org.apache.http.client.fluent.Request;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.impl.client.CloseableHttpClient;
@@ -176,6 +179,55 @@ public static String ssrf_HttpClient(HttpServletRequest request) {
     }
 
 
+    /**
+     * Safe code: http://localhost:8080/ssrf/commonsHttpClient?url=http://www.baidu.com
+     *
+     * @param request
+     * @return
+     */
+    @RequestMapping("/commonsHttpClient")
+    @ResponseBody
+    public static String commonsHttpClient(HttpServletRequest request) {
+
+        String url = request.getParameter("url");
+
+        // Security check
+        if (!SecurityUtil.checkSSRFWithoutRedirect(url)) {
+            return "Bad man. I got u.";
+        }
+        // Create an instance of HttpClient.
+        HttpClient client = new HttpClient();
+
+        // Create a method instance.
+        GetMethod method = new GetMethod(url);
+
+        // forbid 302 redirection
+        method.setFollowRedirects(false);
+
+        try {
+            // Send http request.
+            int status_code = client.executeMethod(method);
+
+            // Only allow the url that status_code is 200.
+            if (status_code != HttpStatus.SC_OK) {
+                return "Method failed: " + method.getStatusLine();
+            }
+
+            // Read the response body.
+            byte[] resBody = method.getResponseBody();
+            return new String(resBody);
+
+        } catch (IOException e) {
+            return "Error: " + e.getMessage();
+        } finally {
+            // Release the connection.
+            method.releaseConnection();
+        }
+
+
+    }
+
+
     /**
      * http://localhost:8080/ssrf/ImageIO_safe?url=
      *

src/main/java/org/joychou/controller/URLRedirect.java

@@ -13,29 +13,28 @@
 import org.joychou.security.SecurityUtil;
 
 /**
- * @author  JoyChou ([email protected])
- * @date    2017.12.28
- * @desc    Java url redirect.
- * @fix     Check redirect url whitelist.
+ * The vulnerability code and security code of Java url redirect.
+ * The security code is checking whitelist of url redirect.
+ *
+ * @author   JoyChou ([email protected])
+ * @version  2017.12.28
  */
 
-
 @Controller
 @RequestMapping("/urlRedirect")
 public class URLRedirect {
 
     /**
-     * usage: http://localhost:8080/urlRedirect/redirect?url=http://www.baidu.com
-     *
+     * http://localhost:8080/urlRedirect/redirect?url=http://www.baidu.com
      */
     @GetMapping("/redirect")
     public String redirect(@RequestParam("url") String url) {
         return "redirect:" + url;
     }
 
+
     /**
-     * usage: http://localhost:8080/urlRedirect/setHeader?url=http://www.baidu.com
-     *
+     * http://localhost:8080/urlRedirect/setHeader?url=http://www.baidu.com
      */
     @RequestMapping("/setHeader")
     @ResponseBody
@@ -45,9 +44,9 @@ public static void setHeader(HttpServletRequest request, HttpServletResponse res
         response.setHeader("Location", url);
     }
 
+
     /**
-     * usage: http://localhost:8080/urlRedirect/sendRedirect?url=http://www.baidu.com
-     *
+     * http://localhost:8080/urlRedirect/sendRedirect?url=http://www.baidu.com
      */
     @RequestMapping("/sendRedirect")
     @ResponseBody
@@ -58,13 +57,12 @@ public static void sendRedirect(HttpServletRequest request, HttpServletResponse
 
 
     /**
-     * desc: security code.Because it can only jump according to the path, it cannot jump according to other urls.
-     * usage: http://localhost:8080/urlRedirect/forward?url=/urlRedirect/test
-     *
+     * Safe code. Because it can only jump according to the path, it cannot jump according to other urls.
+     * http://localhost:8080/urlRedirect/forward?url=/urlRedirect/test
      */
     @RequestMapping("/forward")
     @ResponseBody
-    public static void forward(HttpServletRequest request, HttpServletResponse response) throws IOException{
+    public static void forward(HttpServletRequest request, HttpServletResponse response) {
         String url = request.getParameter("url");
         RequestDispatcher rd =request.getRequestDispatcher(url);
         try{
@@ -74,10 +72,10 @@ public static void forward(HttpServletRequest request, HttpServletResponse respo
         }
     }
 
+
     /**
-     * desc: sendRedirect security code
-     * usage: http://localhost:8080/urlRedirect/sendRedirect_seccode?url=http://www.baidu.com
-     *
+     * Safe code of sendRedirect.
+     * http://localhost:8080/urlRedirect/sendRedirect_seccode?url=http://www.baidu.com
      */
     @RequestMapping("/sendRedirect_seccode")
     @ResponseBody