Skip to content

Manual input identification for SSRF #1290

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 54 commits into
base: master
Choose a base branch
from
Open

Manual input identification for SSRF #1290

wants to merge 54 commits into from

Conversation

seran
Copy link
Contributor

@seran seran commented Aug 18, 2025

No description provided.

arcuri82
arcuri82 requested changes Aug 26, 2025
View reviewed changes
@seran seran marked this pull request as ready for review August 26, 2025 09:22
seran added 23 commits August 26, 2025 21:17
@seran
Merge branch 'urlgene-string' into ssrf-manual
54c674e
@seran
UrlHttpGene without path
529cde9
@seran
Merge branch 'urlgene-string' into ssrf-manual
f7bf294
@seran
minor change
59b20a4
@seran
Merge branch 'urlgene-string' into ssrf-manual
9732002
@seran
minor change
bce1aae
@seran
working setValueBasedOn for ArrayGene
217ad30
@seran
Merge branch 'urlgene-string' into ssrf-manual
31af1aa
@seran
Merge branch 'urlgene-string' into ssrf-manual
728af1b
@seran
Merge branch 'ssrf-e2e-cleanup' into ssrf-manual
d001aaf
@seran
Merge branch 'ssrf-e2e-cleanup' into ssrf-manual
3fa798a
@seran
Merge branch 'master' into ssrf-manual
9f1a1f4
@seran
Merge branch 'urlgene-string' into ssrf-manual
1d20a69
@seran
Merge branch 'urlgene-string' into ssrf-manual
6032fa3
@seran
fixes
25d268d
@seran
comments
6179a3b
@seran
clean-up
e89f726
@seran
updated url pattern
17f4356
@seran
clean-up
fa97ac3
@seran
disabled e2e
9b5f263
@seran
clean-up
20093d5
@seran
trying to fix
95f59a2
@seran
minor change
b719399
seran
seran commented Aug 29, 2025
View reviewed changes
core/src/main/kotlin/org/evomaster/core/problem/security/service/SSRFAnalyser.kt
httpCallbackVerifier.isCallbackURL(gene.getValueAsRawString())
}

if (hasCallBackURL) {
// FIXME: When the code reaches this point during SSRF phase
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @arcuri82,

I can see the code reach the AbstractRestFitness during the SSRF detection phase. However, WireMock seems to be null at this point although it was initiated earlier. I'm not sure why this is happening, need your assistance to debug this further.

seran
seran commented Aug 29, 2025
View reviewed changes
core/src/main/kotlin/org/evomaster/core/problem/security/service/HttpCallbackVerifier.kt
@@ -75,7 +80,9 @@ class HttpCallbackVerifier {
* Method generates a unique callback link to be used as payload for SSRF.
*/
fun generateCallbackLink(name: String): String {
val ssrfPath = "/sink/${counter++}"
// FIXME: sink/EM_0 <- slash get replaced with a comma at some point, which fails
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was a problem too, for some reason slash after sink get replaced with a comma when recomputing the fitness.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arcuri82 arcuri82 arcuri82 requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@seran @arcuri82