Java Snippet #06

This challenge covers the review of a snippet of code written in Java

PRO
Tier
Medium
< 1 Hr.
724

Course


The Code Review Snippet challenge in question focuses on a Java class named `Proxy` that fetches data from a given URL. The method `get(String uri)` initializes a URL object from the provided `uri`, opens a stream to read data, and returns the data as a string. However, this implementation has a critical security vulnerability.

The vulnerability lies in the fact that the method does not validate the `uri` scheme. This allows an attacker to supply a `file://` URL, enabling the reading of any local file on the server, such as sensitive configuration files or `/etc/passwd`. This flaw exposes the server to arbitrary local file read attacks, jeopardizing the confidentiality of the server’s data.

Want to learn more? Get started with PentesterLab Pro! GO PRO