Merge pull request #197 from AikidoSec/fix-ssrf-bug-with-hostname-capitalization

bitterpanda63 · web-flow · commit 76504ef6090f · 2025-07-11T08:28:12.000Z
Fix SSRF bug: Ignore case when comparing hostnames
diff --git a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/FindHostnameInContext.java b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/FindHostnameInContext.java
@@ -50,7 +50,7 @@ public static boolean hostnameInUserInput(String userInput, String hostname, int
             if (userInputUrl == null || userInputUrl.getHost() == null) {
                 continue;
             }
-            if (userInputUrl.getHost().equals(hostnameUrl.getHost())) {
+            if (userInputUrl.getHost().equalsIgnoreCase(hostnameUrl.getHost())) {
                 if (userInputUrl.getPort() == -1 || port == -1) {
                     return true;
                 }
diff --git a/agent_api/src/test/java/vulnerabilities/ssrf/FindHostnameInContextTest.java b/agent_api/src/test/java/vulnerabilities/ssrf/FindHostnameInContextTest.java
@@ -37,6 +37,17 @@ void testItParsesHostnameFromUserInputWithPathBehindIt() {
             assertTrue(hostnameInUserInput("http://localhost/path", "localhost", 80));
         }
 
+        @Test
+        void testHostnameCapitalizationIsNotImportant() {
+            assertTrue(hostnameInUserInput("http://Localhost/path", "localhost", 80));
+        }
+
+        @Test
+        void testHostnameCapitalizationIsNotImportant2() {
+            assertTrue(hostnameInUserInput("http://localhost/path", "LOCALHOST", 80));
+        }
+
+
         @Test
         void testItDoesNotParseHostnameFromUserInputWithMisspelledProtocol() {
             assertFalse(hostnameInUserInput("http:/localhost", "localhost", 80));
diff --git a/agent_api/src/test/java/vulnerabilities/ssrf/SSRFDetectorTest.java b/agent_api/src/test/java/vulnerabilities/ssrf/SSRFDetectorTest.java
@@ -60,6 +60,30 @@ public void testSsrfDetectorWithRedirectTo127IP() throws MalformedURLException {
         assertEquals("8080", attackData.metadata.get("port"));
     }
 
+    @Test
+    @SetEnvironmentVariable(key = "AIKIDO_TOKEN", value = "invalid-token")
+    public void testSsrfDetectorWithRedirectTo127IPButHostnameCapitalizationDifferent() throws MalformedURLException {
+        // Setup context :
+        setContextAndLifecycle("http://Ssrf-redirects.testssandbox.com/ssrf-test");
+
+        URLCollector.report(new URL("http://Ssrf-redirects.testssandbox.com/ssrf-test"));
+        RedirectCollector.report(new URL("http://ssrf-Redirects.testssandbox.com/ssrf-test"), new URL("http://127.0.0.1:8080"));
+        Attack attackData = new SSRFDetector().run(
+            "127.0.0.1", 8080,
+            List.of("127.0.0.1"),
+            "testop"
+        );
+
+        assertNotNull(attackData);
+        assertEquals("testop", attackData.operation);
+        assertEquals("ssrf", attackData.kind);
+        assertEquals("query", attackData.source);
+        assertEquals("http://Ssrf-redirects.testssandbox.com/ssrf-test", attackData.payload);
+        assertEquals(".arg.[0]", attackData.pathToPayload);
+        assertEquals("127.0.0.1", attackData.metadata.get("hostname"));
+        assertEquals("8080", attackData.metadata.get("port"));
+    }
+
     @Test
     @SetEnvironmentVariable(key = "AIKIDO_TOKEN", value = "invalid-token")
     public void testSsrfDetectorWithRedirectToLocalhost() throws MalformedURLException {

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ public static boolean hostnameInUserInput(String userInput, String hostname, int`
`50`	`50`	`if (userInputUrl == null \|\| userInputUrl.getHost() == null) {`
`51`	`51`	`continue;`
`52`	`52`	`}`
`53`		`- if (userInputUrl.getHost().equals(hostnameUrl.getHost())) {`
	`53`	`+ if (userInputUrl.getHost().equalsIgnoreCase(hostnameUrl.getHost())) {`
`54`	`54`	`if (userInputUrl.getPort() == -1 \|\| port == -1) {`
`55`	`55`	`return true;`
`56`	`56`	`}`