Unsanitized user input in HTTP request (SSRF)

Overview

• Rule ID: java_lang_http_url_using_user_input

• Applicable Languages: Java

• Weakness ID: CWE-918

Description

Including user input directly in HTTP request URLs can expose vulnerabilities to Server-Side Request Forgery (SSRF) attacks. This occurs when an attacker can manipulate the destination of an HTTP request initiated by the server.

Remediation Guidelines

• Avoid concatenating or directly incorporating user input into URLs for HTTP requests. This practice can enable attackers to manipulate requests to unauthorized or malicious sites.

  Copy

  new URL(request.getParameter("someRandomUrl")).getContent(); // unsafe

• Instead, validate or map user inputs to predefined options before using them to construct URLs. This approach ensures that the application only requests URLs to known, safe destinations.

  Copy

  String url;
  if (request.getParameter("selectedUrl").equals("option1")) {
   url = "https://api1.com";
  } else {
   url = "https://api2.com";
  }

References

• CWE-918: Server-Side Request Forgery (SSRF)

• OWASP Top 10: A10:2021 - Server-side Request Forgery (SSRF)

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL