Lab 2: Image Proxy Service

Difficulty: Medium

Lab Overview

This lab demonstrates an SSRF vulnerability in an image proxy service. The application fetches images from user-supplied URLs without proper validation, allowing access to internal services and files.

Objective: Use SSRF to access internal services, cloud metadata, or local files through the image proxy.

Vulnerable PHP Code

// Handle image proxy request
if (isset($_GET['image']) && !empty($_GET['image'])) {
    $url = $_GET['image'];
    
    // Vulnerable: No validation of image URL
    try {
        $context = stream_context_create([
            'http' => [
                'timeout' => 10,
                'user_agent' => 'ImageProxy/1.0',
                'follow_location' => true,
                'max_redirects' => 5
            ]
        ]);
        
        $image_data = file_get_contents($url, false, $context);
        
        if ($image_data !== false) {
            $image_info = getimagesizefromstring($image_data);
            // Display image
        }
    } catch (Exception $e) {
        // Error handling
    }
}

// Example vulnerable usage:
// ?image=https://example.com/image.jpg
// ?image=http://localhost:8080
// ?image=file:///etc/passwd

Image Proxy Demo

Failed to load image: http://localhost:8080

Quick Test URLs:

Vulnerability Details

Type: Server-Side Request Forgery (SSRF)
Severity: High
Parameter: image
Method: GET
Issue: Image URL fetching without validation

Test Payloads

Try these payloads in the image parameter:

http://localhost:8080 - Local service
http://127.0.0.1:3306 - Database port
file:///etc/passwd - Local file
http://169.254.169.254/ - Cloud metadata
http://localhost:22 - SSH port

Example URLs:

2.php?image=http://localhost:8080
2.php?image=file:///etc/passwd

Real-World Attack Scenarios

Access to internal services through image parameters
Cloud metadata and credentials exposure
Database access and data exfiltration
Local file system access
Port scanning and service enumeration
Bypassing firewalls and network restrictions
Image processing vulnerabilities

Mitigation Strategies

Validate and whitelist allowed image URLs
Block private IP ranges and localhost
Use URL parsing libraries to validate URLs
Implement proper error handling
Use outbound proxies with restrictions
Disable dangerous protocols (file://, gopher://)
Implement request timeouts and size limits
Validate image format and content