Juicy Shop
SSRF via Image Import
Vulnerability
The image-import feature fetches a URL supplied by the user without restricting the destination. Because the request originates from the server, it can reach resources the attacker cannot reach directly — cloud metadata endpoints (http://169.254.169.254/), internal admin panels, and services that trust the internal network. The server becomes a confused deputy, returning internal data or letting the attacker pivot into the network.
Exploit Steps
- Find the 'import image from URL' feature
- Instead of an image URL, supply http://169.254.169.254/latest/meta-data/
- Observe the server returns cloud instance metadata (potentially IAM credentials)
- Pivot to internal hosts/ports to map and reach services behind the firewall
Tools: Burp Suite, curl, internal port scanners
Mitigation & Solution
Validate against an allow-list of exact hosts the feature needs. Resolve the hostname and reject private/loopback/link-local/metadata ranges, then pin the connection to the validated IP to defeat DNS rebinding. Disable unneeded URL schemes and segment the fetcher so it has no route to internal services or metadata.
Coding Challenge
Find It
File: apps/juicy-shop/src/security-examples/ssrf-image-import.ts
Click the line that contains the vulnerability: