PantsirПанцирь
Preparing access
Checking your lab membership...
Created 30 Aug 2025Updated 13 Feb 2026
Orders Receipt Renderer (SSRF)
A Flask receipt renderer fetches user-provided URLs directly, enabling SSRF into internal and metadata endpoints.
python240 pts25 min

Story

Your commerce platform renders branded order receipts by downloading remote HTML templates. Product wants marketing teams to host templates externally for fast iteration.

A red-team exercise shows the renderer can fetch internal URLs, including loopback and cloud metadata paths.

System Context

The project contains two fetch flows:

  • GET /render?url=... in files/app.py
  • GET /api/receipts/preview?url=... in files/blueprints/receipts.py

Both rely on the same insecure helper in files/utils/http.py.

Problem

The renderer makes outbound HTTP requests to destinations chosen by request input, but the destination is not constrained by strict host/network policy before the fetch happens. That behavior lets untrusted callers use this service as a proxy into internal-only resources, metadata endpoints, and adjacent network surfaces. In production, this turns a document-rendering feature into a reconnaissance and pivot channel.

Goal

Find the exact vulnerable line in the project code.

Content locked
Join this lab to access the content.
.gitignoreplaintext