From f8c0184306219c9a6c1243817cd87be557ca4333 Mon Sep 17 00:00:00 2001 From: BitterPanda Date: Wed, 9 Jul 2025 12:06:03 +0200 Subject: [PATCH 1/3] findHostnameInUserInput use equalsIgnoreCase --- .../agent_api/vulnerabilities/ssrf/FindHostnameInContext.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/FindHostnameInContext.java b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/FindHostnameInContext.java index 9accb3783..e4b953e3d 100644 --- a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/FindHostnameInContext.java +++ b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/FindHostnameInContext.java @@ -50,7 +50,7 @@ public static boolean hostnameInUserInput(String userInput, String hostname, int if (userInputUrl == null || userInputUrl.getHost() == null) { continue; } - if (userInputUrl.getHost().equals(hostnameUrl.getHost())) { + if (userInputUrl.getHost().equalsIgnoreCase(hostnameUrl.getHost())) { if (userInputUrl.getPort() == -1 || port == -1) { return true; } From a56f90c61c270e7cb60ea9a607f5627587a0b6ce Mon Sep 17 00:00:00 2001 From: BitterPanda Date: Wed, 9 Jul 2025 12:06:11 +0200 Subject: [PATCH 2/3] Add unit test that checks equalsIgnoreCase is in use --- .../ssrf/SSRFDetectorTest.java | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/agent_api/src/test/java/vulnerabilities/ssrf/SSRFDetectorTest.java b/agent_api/src/test/java/vulnerabilities/ssrf/SSRFDetectorTest.java index edfbbc38d..97ec9e4e5 100644 --- a/agent_api/src/test/java/vulnerabilities/ssrf/SSRFDetectorTest.java +++ b/agent_api/src/test/java/vulnerabilities/ssrf/SSRFDetectorTest.java @@ -60,6 +60,30 @@ public void testSsrfDetectorWithRedirectTo127IP() throws MalformedURLException { assertEquals("8080", attackData.metadata.get("port")); } + @Test + @SetEnvironmentVariable(key = "AIKIDO_TOKEN", value = "invalid-token") + public void testSsrfDetectorWithRedirectTo127IPButHostnameCapitalizationDifferent() throws MalformedURLException { + // Setup context : + setContextAndLifecycle("http://Ssrf-redirects.testssandbox.com/ssrf-test"); + + URLCollector.report(new URL("http://Ssrf-redirects.testssandbox.com/ssrf-test")); + RedirectCollector.report(new URL("http://ssrf-Redirects.testssandbox.com/ssrf-test"), new URL("http://127.0.0.1:8080")); + Attack attackData = new SSRFDetector().run( + "127.0.0.1", 8080, + List.of("127.0.0.1"), + "testop" + ); + + assertNotNull(attackData); + assertEquals("testop", attackData.operation); + assertEquals("ssrf", attackData.kind); + assertEquals("query", attackData.source); + assertEquals("http://Ssrf-redirects.testssandbox.com/ssrf-test", attackData.payload); + assertEquals(".arg.[0]", attackData.pathToPayload); + assertEquals("127.0.0.1", attackData.metadata.get("hostname")); + assertEquals("8080", attackData.metadata.get("port")); + } + @Test @SetEnvironmentVariable(key = "AIKIDO_TOKEN", value = "invalid-token") public void testSsrfDetectorWithRedirectToLocalhost() throws MalformedURLException { From d29479fed550375e7b2f3a93f3e9fa47541eecef Mon Sep 17 00:00:00 2001 From: BitterPanda Date: Wed, 9 Jul 2025 12:07:39 +0200 Subject: [PATCH 3/3] Add unit tests to the function hostnameInUserInput for equalsIgnoreCase --- .../ssrf/FindHostnameInContextTest.java | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/agent_api/src/test/java/vulnerabilities/ssrf/FindHostnameInContextTest.java b/agent_api/src/test/java/vulnerabilities/ssrf/FindHostnameInContextTest.java index 283f96dd4..123df2f57 100644 --- a/agent_api/src/test/java/vulnerabilities/ssrf/FindHostnameInContextTest.java +++ b/agent_api/src/test/java/vulnerabilities/ssrf/FindHostnameInContextTest.java @@ -37,6 +37,17 @@ void testItParsesHostnameFromUserInputWithPathBehindIt() { assertTrue(hostnameInUserInput("http://localhost/path", "localhost", 80)); } + @Test + void testHostnameCapitalizationIsNotImportant() { + assertTrue(hostnameInUserInput("http://Localhost/path", "localhost", 80)); + } + + @Test + void testHostnameCapitalizationIsNotImportant2() { + assertTrue(hostnameInUserInput("http://localhost/path", "LOCALHOST", 80)); + } + + @Test void testItDoesNotParseHostnameFromUserInputWithMisspelledProtocol() { assertFalse(hostnameInUserInput("http:/localhost", "localhost", 80));