Expected Findings
- Proxy accepts arbitrary schemes including `file://` and `http://localhost`.
- AWS instance metadata is reachable through the proxy.
- Internal services on the same host return their banners.
Image Proxy
SSRF Image Proxy
The avatar resizer fetches any URL the client supplies, including cloud metadata, internal services, and `file://` paths.
Avatar fetcher
Primary Flows
- Cloud metadata SSRF AWS IMDSv1 path
- Internal Redis Localhost service probe
- File scheme Reads local files
Signals
Code
resp, _ := http.Get(req.URL.Query().Get("url")) // no allow-list