University of North Carolina, Charlotte

ITIS 4221

Access Control and SSRF Project Report TABLE OF CONTENTS Section Page # 1.1 Fixing the SSRF Vulnerability in the Penetration Test Application 3-5 2.0 Fix the information disclosure vulnerability under the Insecure Direct Object Reference tab of the penetration_test application and the Access Control vulnerability under the performance evaluation section. 5- 9 3.0 Modifying Apache Shiro Access Control File 9-11 1. Fixing the SSRF Vulnerability in the Penetration Test Application The purpose of this report is to document the steps taken to fix a server-side request forgery (SSRF) vulnerability in the Penetration Test Application. The vulnerability allows attackers to access the /product/design/ endpoint, which should not be accessible to users. The report includes screenshots of the vulnerability being exploited, ZAP modifications to perform the vulnerability, the section of the code where the vulnerability is present, modifications made to the code to mitigate the vulnerability, and screenshots showing that the vulnerability can no longer be exploited. To start, we identified the vulnerability located in the net.uncc.app.ssrf.SsrfController class. We then used ZAP to view the HTTP request using a breakpoint and modified the request to access the /product/design/ endpoint. This confirmed the presence of the SSRF vulnerability. To fix the vulnerability, we implemented a solution using functionality from the Spring Framework. Specifically, we use