SSRF in WireMock's Stub Recorder

[Alexandre Philbert]

Hello folks,

A friend of mine discovered a few months ago that he could make requests to the victim host's internal network (Server-side request forgery, SSRF) by abusing the stub recording feature.

I have a write-up of how exactly this is exploitable. I'll share a link to it to whoever is most appropriate!

To mitigate this, I believe the stub recording endpoints (http://localhost:8080/__admin/recordings/start) should be behind some kind of authentication and/or completely inaccessible from the internet. Also, an allow-list feature could be implement so that only expected URLs are passed to the stub recorder.

PS: I believe the CVE that was created and reserved for this is: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-30764

Thanks,

Alexandre Philbert

[Tom Akehurst]

There's a feature in the works to support inclusion/exclusion of IP ranges and domain name wildcards as proxy/recorder targets. Will be released with 2.35.0, hopefully before the end of this week.

It's already possible to plug in an authenticator over the admin API so I think we're already covered there for those that want that additional protection.

[Alexandre Philbert]

Sounds great! Thanks for the reply :)

[Tom Akehurst]

Fix is now released: https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses