import java.io.IOException; import java.net.URI; import org.apache.http.Header; import org.apache.http.HeaderIterator; import org.apache.http.HttpHost; import org.apache.http.HttpRequest; import org.apache.http.HttpResponse; import org.apache.http.ProtocolVersion; import org.apache.http.RequestLine; import org.apache.http.client.HttpClient; import org.apache.http.client.ResponseHandler; import org.apache.http.client.methods.HttpUriRequest; import org.apache.http.message.BasicHttpRequest; import org.apache.http.params.HttpParams; import org.apache.http.protocol.HttpContext; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class ApacheHttpClientExecuteSSRF extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { String sink = request.getParameter("host"); // $ Source HttpHost host = new HttpHost(sink); HttpRequest req = new BasicHttpRequest("GET", "/"); HttpUriRequest uriReq = new HttpUriRequest() { @Override public String getMethod() { return "GET"; } @Override public URI getURI() { return URI.create("https://" + sink); } @Override public void abort() throws UnsupportedOperationException { } @Override public boolean isAborted() { return false; } @Override public RequestLine getRequestLine() { return null; } @Override public ProtocolVersion getProtocolVersion() { return null; } @Override public boolean containsHeader(String name) { return false; } @Override public Header[] getHeaders(String name) { return null; } @Override public Header getFirstHeader(String name) { return null; } @Override public Header getLastHeader(String name) { return null; } @Override public Header[] getAllHeaders() { return null; } @Override public void addHeader(Header header) { } @Override public void addHeader(String name, String value) { } @Override public void setHeader(Header header) { } @Override public void setHeader(String name, String value) { } @Override public void setHeaders(Header[] headers) { } @Override public void removeHeader(Header header) { } @Override public void removeHeaders(String name) { } @Override public HeaderIterator headerIterator() { return null; } @Override public HeaderIterator headerIterator(String name) { return null; } @Override public HttpParams getParams() { return null; } @Override public void setParams(HttpParams params) { } }; HttpContext context = null; HttpClient client = new HttpClient() { @Override public HttpResponse execute(HttpHost target, HttpRequest request) throws IOException { return null; } @Override public HttpResponse execute(HttpHost target, HttpRequest request, HttpContext context) throws IOException { return null; } @Override public T execute(HttpHost target, HttpRequest request, ResponseHandler responseHandler) throws IOException { return null; } @Override public T execute(HttpHost target, HttpRequest request, ResponseHandler responseHandler, HttpContext context) throws IOException { return null; } @Override public HttpResponse execute(HttpUriRequest request) throws IOException { return null; } @Override public HttpResponse execute(HttpUriRequest request, HttpContext context) throws IOException { return null; } @Override public T execute(HttpUriRequest request, ResponseHandler responseHandler) throws IOException { return null; } @Override public T execute(HttpUriRequest request, ResponseHandler responseHandler, HttpContext context) throws IOException { return null; } }; ResponseHandler handler = null; client.execute(host, req); // $ Alert client.execute(host, req, context); // $ Alert client.execute(host, req, handler); // $ Alert client.execute(host, req, handler, context); // $ Alert client.execute(uriReq); // $ Alert client.execute(uriReq, context); // $ Alert client.execute(uriReq, handler); // $ Alert client.execute(uriReq, handler, context); // $ Alert } catch (Exception e) { // TODO: handle exception } } }