curl "http://localhost:3000/api/Image?url=http://localhost:3000/encryptionkey.txt" HTTP 200 with the encryption key in the body (may be text/plain despite image content-type header). 5. Impact Assessment | Attack Vector | Impact | |---------------|--------| | Localhost file read | Exposure of source code, config files, secrets | | Internal port scan | Discovery of admin panels, databases, Redis, Jenkins | | Cloud metadata theft | IAM credentials, access tokens → cloud account compromise | | Service interaction (e.g., Redis, Memcached) | Potential RCE via protocol smuggling |
const isLocalhost = (url) => host === '::1'; ; if (isLocalhost(url)) return res.status(400).send('Localhost requests blocked'); owasp juice shop ssrf
SSRF occurs when an application fetches a remote resource based on user-supplied input without proper validation. In Juice Shop, the vulnerability is deliberately placed to educate developers on risks like internal network scanning, localhost access, and cloud metadata endpoint extraction. 2.1 Vulnerable Endpoint The primary SSRF vector in Juice Shop (version 14+) is the /api/Image endpoint. This endpoint accepts a URL parameter and attempts to fetch an image from that location. curl "http://localhost:3000/api/Image