Juicy Shop

SSRF via Image Import

Server SecurityA10:2021 – Server-Side Request Forgeryhigh

Vulnerability

The image-import feature fetches a URL supplied by the user without restricting the destination. Because the request originates from the server, it can reach resources the attacker cannot reach directly — cloud metadata endpoints (http://169.254.169.254/), internal admin panels, and services that trust the internal network. The server becomes a confused deputy, returning internal data or letting the attacker pivot into the network.

Exploit Steps

  1. Find the 'import image from URL' feature
  2. Instead of an image URL, supply http://169.254.169.254/latest/meta-data/
  3. Observe the server returns cloud instance metadata (potentially IAM credentials)
  4. Pivot to internal hosts/ports to map and reach services behind the firewall

Tools: Burp Suite, curl, internal port scanners

Mitigation & Solution

Validate against an allow-list of exact hosts the feature needs. Resolve the hostname and reject private/loopback/link-local/metadata ranges, then pin the connection to the validated IP to defeat DNS rebinding. Disable unneeded URL schemes and segment the fetcher so it has no route to internal services or metadata.

Coding Challenge

Find It

File: apps/juicy-shop/src/security-examples/ssrf-image-import.ts

Click the line that contains the vulnerability:

Fix It