Inspecting the network traffic reveals that the server makes a backend request to: https://maps.googleapis.com/maps/api/staticmap?center=...
const dns = require('dns').promises; const ip = await dns.lookup(urlObj.hostname); if (isPrivateIP(ip.address)) throw new Error('Blocked'); The SSRF vulnerability in OWASP Juice Shop is small but elegant. It demonstrates a single line of missing validation leading to a complete breach of network segmentation. For penetration testers, mastering SSRF means understanding that the server is just another user—one with far more privileges. juice shop ssrf
"url": "file:///etc/passwd" Juice Shop's Node.js request module does follow file:// by default, but older urllib or curl wrappers do. Defenses: How to Kill SSRF Juice Shop is vulnerable by design. Here is how to fix it in production: 1. Allowlist, Never Blocklist const ALLOWED_DOMAINS = ['maps.googleapis.com', 'trusted-cdn.com']; const urlObj = new URL(userUrl); if (!ALLOWED_DOMAINS.includes(urlObj.hostname)) return res.status(403).send('Domain not allowed'); Inspecting the network traffic reveals that the server
(Note: Exact path varies by version; check the challenge description in Juice Shop). SSRF is rarely an end in itself. In Juice Shop, it's a proof-of-concept, but in real systems, combine SSRF with other vulnerabilities: 1. Cloud Metadata Extraction If Juice Shop were deployed on AWS with a misconfigured IMDSv1: Here is how to fix it in production: 1
| Defense | Bypass Technique | |---------|------------------| | Block localhost | Use 127.0.0.1 , 0.0.0.0 , [::1] , or localhost.me | | Block IP addresses | Use decimal IP: http://2130706433/ (for 127.0.0.1) | | Block internal subnets | Register a domain internal.yourlab.com that resolves to 10.0.0.1 | | Protocol restriction ( http:// only) | Use file:///etc/passwd or gopher:// or dict:// | The specific Juice Shop SSRF challenge requires you to fetch an image from a non-existent internal service to trigger an error message containing a flag.
Or more classically: The functionality, where you provide a URL to an image of your broken juice. The server tries to fetch that image to validate it. The Vulnerability: Unvalidated URL Fetching Let's look at the pseudo-code of the vulnerable endpoint: