curl "http://localhost:3000/api/Image?url=http://localhost:3000/encryptionkey.txt" HTTP 200 with the encryption key in the body (may be text/plain despite image content-type header). 5. Impact Assessment | Attack Vector | Impact | |---------------|--------| | Localhost file read | Exposure of source code, config files, secrets | | Internal port scan | Discovery of admin panels, databases, Redis, Jenkins | | Cloud metadata theft | IAM credentials, access tokens ā cloud account compromise | | Service interaction (e.g., Redis, Memcached) | Potential RCE via protocol smuggling |
http://localtest.me/encryptionkey.txt (if localtest.me resolves to 127.0.0.1) Use SSRF to probe internal IP ranges (e.g., 192.168.1.1 , 10.0.0.1 , 172.16.0.1 ). Example:
GET /api/Image?url=https://example.com/image.png HTTP/1.1 The server code (simplified) looks like: owasp juice shop ssrf
In Juice Shop, the impact is deliberately limited to reading a single file, but in real apps, SSRF often leads to complete internal network compromise. 6.1 Allowlist-Based Input Validation const ALLOWED_HOSTS = ['images.trusted.com', 'cdn.example.com']; const urlObj = new URL(userUrl); if (!ALLOWED_HOSTS.includes(urlObj.hostname)) return res.status(403).send('Host not allowed');
The challenge is solved when the student successfully extracts encryptionkey.txt . The OWASP Juice Shop SSRF challenge provides a realistic, hands-on example of how an innocent-looking image fetch endpoint can become a gateway to internal resources. By exploiting it, attackers can read local files, scan internal networks, and steal cloud credentials. Mitigation requires strict allowlisting, network controls, and never trusting user-supplied URLs. curl "http://localhost:3000/api/Image
GET /api/Image?url=http://localhost:3000/encryptionkey.txt If the challenge is active, the server will fetch that internal resource and return its content inside the image response (or as plain text if content type mismatches).
const isLocalhost = (url) => ; if (isLocalhost(url)) return res.status(400).send('Localhost requests blocked'); Example: GET /api/Image
Abstract Server-Side Request Forgery (SSRF) remains a critical web security vulnerability, often enabling internal network reconnaissance, port scanning, and cloud metadata theft. OWASP Juice Shop, a modern intentionally vulnerable web app, contains multiple SSRF challenges that simulate real-world misconfigurations. This paper dissects the Juice Shop SSRF attack surface, demonstrates exploitation techniques, and discusses detection and prevention strategies. 1. Introduction OWASP Juice Shop is a Node.js/Express-based application packed with vulnerabilities from the OWASP Top 10. Among its medium-difficulty challenges is SSRF (Server-Side Request Forgery) ā specifically the challenge titled āSSRFā (ID: ssrf ) and related endpoints that allow an attacker to make the server perform arbitrary HTTP requests.