1

I want to detect SSRF by validation if a host is localhost. But I cannot detect the addresses "0177.1" as localhost.

I tried this code to detect if a host is a localhost.

public static boolean isLocalAddress(InetAddress address) {
    if (address.isAnyLocalAddress() || address.isLoopbackAddress()) {
        return true;
    }
    try {
        return NetworkInterface.getByInetAddress(address) != null;
    } catch (SocketException e) {
        return false;
    }
}

I have tried it with many addresses and it detects all of them except "0177.1".

David
  • 164
  • 1
  • 11
  • It's unclear why you're worried about this. That is simply another representation of `127.0.0.1` - in this case in Octal. Have you checked `0x7F000001` (hex) and `2130706433` (decimal) too? How would you ever get this address? Are you worried about someone coding this into HTML? – stdunbar Apr 26 '19 at 00:12
  • I generally wont to have a method to check if an address is local. For example in a Web application some kind of download from URL or import function. If someone manages to put a local IP in the import field the backend might make a request more or less controlled by the user to a private service in your server (database etc) – David Apr 30 '19 at 20:36
  • I checked 0x7F000001 and 2130706433 before I made the post and for this addresses, the method does return true! Here is a list of addresses i tested: localhost, [::], [0:0:0:0:0:0:0:0], 0.0.0.0, 127.0.0.2, 127.0.0.1, 0177.1 (DOES NOT WORK), 0x7f.1, 127.1, [::1], 017700000001, 0x7f.1, 0x7f.0.0.1, 0x7f000001, 2130706433, 127.000.000.001, 127.0.1, [0:0:0:0:0:ffff:0.0.0.0], [::ffff:0.0.0.0], [::ffff:0:0], [0:0:0:0:0:ffff:127.0.0.1], [::ffff:127.0.0.1], [::ffff:7f00:1], [0:0:0:0:0:ffff:127.0.0.2], [::ffff:127.0.0.2], [::ffff:7f00:2] – David Apr 30 '19 at 20:39

0 Answers0