During the past 2 days, we had been having a lengthy conversation of how we map a third party assessment finding for Server-Side Request Forgery (SSRF) to one of our team's categories...essentially a task of pounding a square peg into a round hole. A mini-debate ensued when a colleague asked for an example or two of SSRF, which I offered. That colleague then decided to write up a small code snippet to test one of our internal proprietary tools to see if he could get it to recognize SSRF. One of the lines from his example code snippet had this gem in it:
request.getFromKevin("url");
My Reply
For some reason—perhaps simply in an attempt to put the seemingly endless email thread to bed—I decided to poke fun at myself in a self deprecating way. Here was my response to the email. (It's probably too long, and no one will read it though. :)
Wait, what? HttpServletRequest. getFromKevin(String) ??? I want to see the Javadoc for that one.
It probably reads something like:
getFromKevin
|
A promising sounding method that in fact does nothing, much like Kevin. In fact, the
url
parameter is completely ignored and the contents of
/dev/urandom
are
read from for 3GB or until the application crashes, whichever comes
first. This is method is used to simulate reading Kevin’s random babble
that he posts to simple Yes/No
questions and instead makes you forced to drink from a fire hose until
your insides burst.
Parameters:
url - a
String which is ignored, just like we try to do with Kevin
Returns:
a String
containing random babble or a
PleaseMakeHimStopException
is thrown if the application runs out of memory trying to process the request
Anyway, let me know what you think. For those who are familiar with my TL;DR tendencies, you're probably thinking this fits me to a tee.
-kevin
P.S.- Follow me on Twitter @KevinWWall and RT if you enjoyed this. (Of course, others are saying "No, no. Don't encourage him or he will never shut up.")