SSRF in clojure

and why i care: gowherene

a little about me

• work in cybersecurity
• love
  • exploring programming languages
  • functional programming/clojure

motivation: gowherene

A webapp to help you map out addresses on webpages!

Try this listicle, mapped out!

quick aside

pronounce: go where 呢 (ne)

呢: a Chinese modal particle

"what about...?"

today's talk

• How gowherene works
• Intro to SSRF and defending your app
• Validation bypasses

server-side request forgery

• Attacker guesses the url of some internal webserver
• Abuse the main server to read internal resources

common/possible targets

• file:///etc/passwd
• http://169.254.169.254/latest/meta-data/

fix it!

• don't trust user inputs
• validate and reject before access

things to check for

• scheme - only allow http/https
• only permit accesses to WAN addresses
• only allow accesses to ports 80 and 443

devil is in the details

• parsing
• validating
• accessing the address

validation bypass example

• php:5.5-cli => http://wikipedia.org
• php:5.5-cli => http://t.co
• php:5.5-cli => http://wikipedia.org#@t.co
• php:5.6-cli => http://wikipedia.org#@t.co

To be fair to php

• parse_url: php
• curl_get_contents: external library
• but slides show that Java is vulnerable too!

change gears

• to look at some code (explore-clj/core.clj)

conclusions

• ssrf exploits bugs in logic - will affect clojure
• couldn't reproduce host injection bugs in java's net.URL or net.URI
  • other than a potential DOS

references

• presentation and slides by Orange Tsai
• notes on his findings on github
• middleware for clj-http

please use gowherene!

https://gowherene.herokuapp.com
@ackerleytng

accompanying repo