Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SSRF detector #643

Merged
merged 6 commits into from
Apr 28, 2023
Merged

Add SSRF detector #643

merged 6 commits into from
Apr 28, 2023

Conversation

bertschneider
Copy link
Contributor

Server Side Request Forgery (SSRF) attacks occur when requests to destinations based on untrusted data are executed. This could lead to exfiltration of sensitive data or exposure of internal services.

The sanitizer detects such attacks by checking if the fuzzer was able to inject a honeypot host name into the requested destination. If this is the case, it reports a high severity security issue.

Checks are implemented via java.net.Socket.connect and java.nio.channels.SocketChannel.connect methods.

@bertschneider bertschneider mentioned this pull request Feb 28, 2023
Closed
@bertschneider bertschneider force-pushed the FUZZ-483_ssrf_bug_detector branch 8 times, most recently from e5ebda2 to b7ac3a1 Compare March 3, 2023 09:31
0xricksanchez
0xricksanchez reviewed Mar 6, 2023
View reviewed changes
Copy link
Contributor

@0xricksanchez 0xricksanchez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks reasonable to me. The example fuzzer is quite slow, and I was able to get one slow output (as mentioned in the sanitizer comments), which I'm not sure is a good finding here..

Slowest unit: 75 s:
artifact_prefix='/private/var/tmp/_bazel_christopher/8c60c24fbbc15a396e9df7c56a2aae10/execroot/jazzer/bazel-out/darwin_arm64-opt/testlogs/examples/BatikTranscoderFuzzer/test.outputs/'; Test unit written to /private/var/tmp/_bazel_christopher/8c60c24fbbc15a396e9df7c56a2aae10/execroot/jazzer/bazel-out/darwin_arm64-opt/testlogs/examples/BatikTranscoderFuzzer/test.outputs/slow-unit-17f8ba6eb1d560a71023696c46f7d388e9d7405e
Base64: ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODHzMQ==

sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/SsrfInjection.kt Outdated Show resolved Hide resolved
sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/SsrfInjection.kt Outdated Show resolved Hide resolved
0xricksanchez
0xricksanchez approved these changes Mar 7, 2023
View reviewed changes
Copy link
Contributor

@0xricksanchez 0xricksanchez left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please don't hesitate to resolve as is if you deem this good enough to add..

@bertschneider bertschneider mentioned this pull request Mar 16, 2023
Merged
@bertschneider bertschneider force-pushed the FUZZ-483_ssrf_bug_detector branch 3 times, most recently from 0878ff6 to 2f1fadd Compare March 17, 2023 08:44
@fmeum fmeum force-pushed the FUZZ-483_ssrf_bug_detector branch 3 times, most recently from e350324 to a9547c5 Compare April 3, 2023 15:49
onionpsy and others added 2 commits April 26, 2023 12:52
@onionpsy @fmeum
sanitizers: Add SSRF detector
729f957 
Server Side Request Forgery (SSRF) attacks occur when requests to
destinations based on untrusted data are executed. This could lead to
exfiltration of sensitive data or exposure of internal services.

The sanitizer detects such attacks by checking if the fuzzer was able to
inject a honeypot host name into the requested destination. If this
is the case, it reports a high severity security issue.

Checks are implemented via `java.net.Socket.connect` and
`java.nio.channels.SocketChannel.connect` methods.
@fmeum
Port to Java
889c84a
@fmeum fmeum force-pushed the FUZZ-483_ssrf_bug_detector branch from a9547c5 to 5bbf62a Compare April 26, 2023 10:52
@fmeum fmeum force-pushed the FUZZ-483_ssrf_bug_detector branch from 5bbf62a to 6efc834 Compare April 26, 2023 10:55
@fmeum
Copy link
Contributor

fmeum commented Apr 26, 2023

@bertschneider I updated the PR, could you take a look?

I am thinking that we should maybe reduce the severity to Medium. What do you think?

@bertschneider
Copy link
Contributor Author

bertschneider commented Apr 27, 2023
edited
Loading

I really like this approach, especially the configuration via scopes.
We should also add some kind of documentation, but can combine that with overall sanitizer docs in different PR.

@fmeum
Copy link
Contributor

fmeum commented Apr 27, 2023

@bertschneider Do you have an idea why the HTTPClient test isn't skipped in CI? Am I using the tag incorrectly?

@fmeum fmeum force-pushed the FUZZ-483_ssrf_bug_detector branch from 359a2e5 to 0cfc340 Compare April 28, 2023 09:15
@fmeum fmeum merged commit 363dc16 into main Apr 28, 2023
@fmeum fmeum deleted the FUZZ-483_ssrf_bug_detector branch April 28, 2023 09:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fmeum fmeum fmeum left review comments

@0xricksanchez 0xricksanchez 0xricksanchez approved these changes

@kyakdan kyakdan Awaiting requested review from kyakdan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@bertschneider @fmeum @0xricksanchez @onionpsy