Tiny-URL-Fuzzer icon indicating copy to clipboard operation
Tiny-URL-Fuzzer copied to clipboard
verified publisher icon orangetw

Reproducing bug in Java.net.URL?

Open ackerleytng opened this issue 6 years ago • 0 comments

On the slide entitled "Big Picture" at https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf, it was indicated that Java net.URL is vulnerable to Host Injection issues.

I was trying to reproduce the bug in java using bin/requester/get.class where parse_url parses out google.com but readfile fetches evil.com in the url http://google.com#@evil.com/, but I wasn't able to do so.

I looked through your notes in samples.txt and found that you mentioned "http://11.11.11.11@@22.22.22.22" is weird.

I was able to reproduce that, that Java's net.URL was unable to parse out the host at all. That's an interesting finding! When you say that net.URL is vulnerable to host injection, did you mean this bug, that could lead to a DOS, or were you able to find vulnerabilities similar to php's parse_url vs curl? Which versions of Java was vulnerable?

ackerleytng avatar Jun 12 '19 23:06 ackerleytng