Exploiting Server Side Request Forgery on a Node/Express Application (hosted on Amazon EC2)
I recently came across a Server Side Request Forgery (SSRF) vulnerability within an application that I assessed. The application was hosted on Amazon EC2 and was using Node.js, Express.js, and as I found out later, Needle.js. Discovery Manual Discovery In the discovery phase, I noticed a function of the application that was taking a user specified URL and displaying the first paragraph from that URL into the page. This application allowed a user to share a URL with their friends, and grabbing the first paragraph was a feature that would provide the friends with more context. The thing is, when looking at my Burp history, I could not find the request to the URL that I specified in my logs. This should raise an eyebrow! This means that the server is taking the URL I specified, making a request on my behalf, and then returning the result to me. That right there is SSRF . Then, the only question was: What is the risk? Automated Discovery Since April 2015, if you a