Cloud Metadata SSRF

Hard+500 XPA10:2021 Server-Side Request ForgeryCWE-918

SSRFCloudAWSNode.js

Scenario

A Node.js service exposes a /fetch endpoint that accepts a URL and retrieves its content — intended for fetching external RSS feeds.

The implementation does not validate whether the URL points to internal or cloud-metadata addresses. On AWS, Azure, and GCP, the metadata endpoint at 169.254.169.254 exposes IAM credentials, instance identity, and secrets.

This SSRF pattern was central to the 2019 Capital One breach (CVE-2019-3799) and remains one of the most impactful vulnerability classes in cloud environments.

On any cloud provider, the metadata endpoint at 169.254.169.254 exposes temporary IAM credentials that give full API access to the instance's role — account takeover in one request.

Your Tasks

Fix fetchUrl(url) so it blocks requests to private IP ranges: 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 127.0.0.0/8.
Also block localhost and 0.0.0.0 by hostname.
Allowed URLs (public IPs) must still work — the function should fetch them normally.
Throw an error with the message 'SSRF: blocked' for disallowed targets.

Examples

Example 1 — Blocked — metadata endpoint

await fetchUrl('http://169.254.169.254/latest/meta-data/iam/security-credentials/')
// → throws Error('SSRF: blocked')

Example 2 — Allowed — public URL

await fetchUrl('https://example.com/feed.xml')
// → returns response body string

Constraints

›Only edit lines 4–18 in the template.
›You may use Node.js built-ins only (url, net, dns). No npm packages.
›The fix must not break legitimate public URL fetches.

Hint

References

CVE-2019-3799 — Capital One SSRF CWE-918: Server-Side Request Forgery OWASP SSRF Prevention Cheat Sheet AWS IMDSv2 Documentation

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run