ITIS 4221 Secure Programming and Penetration Testing Access Control and SSRF Project Report

Access Control and SSRF Project Report Access Control and SSRF Project Report Access Control and SSRF Project Report 1Access Control and SSRF Project Report TABLE OF CONTENTS Section Page # 1.1 Fixing the SSRF V ...

Access Control and SSRF Project Report Access Control and SSRF Project Report Access Control and SSRF Project Report 1Access Control and SSRF Project Report TABLE OF CONTENTS Section Page # 1.1 Fixing the SSRF Vulnerability in the Penetration Test Application 3-5 2.0 Fix the information disclosure vulnerability under the Insecure Direct Object Reference tab of the penetration_test application and the Access Control vulnerability under the performance evaluation section. 5- 9 3.0 Modifying Apache Shiro Access Control File 9-111. Fixing the SSRF Vulnerability in the Penetration Test Application The purpose of this report is to document the steps taken to fix a server-side request forgery (SSRF) vulnerability in the Penetration Test Application. The vulnerability allows attackers to access the /product/design/ endpoint, which should not be accessible to users. The report includes screenshots of the vulnerability being exploited, ZAP modifications to perform the vulnerability, the section of the code where the vulnerability is present, modifications made to the code to mitigate the vulnerability, and screenshots showing that the vulnerability can no longer be exploited. To start, we identified the vulnerability located in the net.uncc.app.ssrf.SsrfController class. We then used ZAP to view the HTTP request using a breakpoint and modified the request to access the /product/design/ endpoint. This confirmed the presence of the SSRF vulnerability. To fix the vulnerability, we implemented a solution using functionality from the Spring Framework. Specifically, we used the @PreAuthorize annotation to restrict access to the /product/design/ endpoint. The annotation allows us to define a set of rules that must be satisfied for the user to access the endpoint. We added the annotation to the appropriate method in the SsrfController class to restrict access to the /product/design/ endpoint. We then verified that the /product/design/ endpoint can no longer be accessed through SSRF. We tested the application using ZAP and confirmed that the endpoint was inaccessible.