HackVitraSec - Cybersecurity Company India | VAPT, Ethical Hacking, Web App Security

Case Study: SSRF via Image Upload in Cloud App

Client Type: Cloud-based SaaS | Engagement: VAPT | Date: July 2025

Background

A cloud-hosted SaaS platform with a document verification feature allowed users to upload profile images and ID proofs. HackVitraSec was hired to test for file upload and injection flaws.

Vulnerability Discovery

We found that the image URL provided by users was fetched server-side (via cURL). This enabled a classic Server-Side Request Forgery (SSRF) by providing internal IPs or metadata endpoints in the upload field.

Example payload: http://169.254.169.254/latest/meta-data/

Impact

  • Exposed AWS EC2 instance metadata
  • Potential to retrieve IAM role credentials
  • Risk of lateral movement within internal cloud network

Proof of Concept

Using Burp Suite and Intercept tools, we altered the image URL field to request internal cloud IPs. The server responded with metadata content — confirming SSRF.

Fix Implemented

  • Server now validates hostnames/IPs against a safe list
  • Connection timeout and DNS rebinding protections added
  • Disallowed use of internal IP ranges (e.g. 127.0.0.1, 169.254.0.0/16)

Recommendations

  • Use SSRF scanners like SSRFmap and Burp Collaborator
  • Whitelist only CDN/image domains for fetch requests
  • Always sanitize user-provided URLs server-side

Need a VAPT Security Audit?

Contact HackVitraSec Today
Back to Case Studies