Rook
AI red-teamer · 42nights
Scanslocal/vulnerable-app

SSRF via /api/fetch url parameter

medium

ssrf · server.js:63-73

Summary

The user-controlled 'url' query parameter is passed directly to http.get without any allowlist, scheme check, or DNS/IP validation, allowing requests to internal hosts (e.g., 169.254.169.254 cloud metadata, localhost services) with the response body reflected back to the attacker.

Vulnerable code — server.js

🔴 if (parsed.pathname === "/api/fetch") {
🔴     const target = q.url;
🔴     if (!target) return send(res, 400, "missing url");
🔴     http
🔴       .get(target, (r) => {
🔴         let body = "";
🔴         r.on("data", (c) => (body += c));
🔴         r.on("end", () => send(res, 200, `fetched ${target}:\n${body.slice(0, 500)}`));
🔴       })
🔴       .on("error", (e) => send(res, 502, `fetch error: ${e.message}`));
🔴     return;
🔴   }