Description

It is possible to bypass current SSRF checks using a redirection via the location header.

Proof of Concept

1.) Mock a redirect endpoint using https://beeceptor.com/

2.) Add Location: http://localhost:1122as a response header and set the status code to 301

3.) Listen on port 1122

4.) Access the following resource: /proxy?url=http://<id>.free.beeceptor.com (http is important here)

5.) The request will be made to localhost:1122


From my understanding the code implements its own redirection handling by reading the location header and doing a new request. But this happens after setInstanceFollowRedirects is set to true. By setting it to true the connection will follow redirects automatically before any checks.