A potential Server-Side Request Forgery (SSRF) vulnerability was identified in the Cloudflare image transformation feature via URL injection on the domain https://www.hckrt.com. The service allows arbitrary URLs to be processed through the /cdn-cgi/image/ endpoint, which may permit unauthorized internal or external requests.

Type: Server-Side Request Forgery (SSRF) Component: Cloudflare Image Transformation (/cdn-cgi/image/) Protocol: HTTP Affected URL: Primary: https://www.hckrt.com/cdn-cgi/image/width=1000,format=auto/https://i.top4top.io/p_3418i5bta1.jpg SSRF Test: https://www.hckrt.com/cdn-cgi/image/width=1000,format=auto/http://d12qt211ps90bq4pce4gqfjqkxwihmihj.oast.site

Description

The Cloudflare image transformation endpoint (/cdn-cgi/image/) appears to accept arbitrary URLs as part of the image source parameter. By appending a malicious or test URL (e.g., https://d12qnah1ps9c7f4hbhb0gyt4tady6ng11.oast.live), an attacker may be able to trigger unauthorized server-side requests. This could potentially allow access to internal network resources, external services, or sensitive metadata, depending on the server’s configuration and restrictions.

Access the following URL: https://www.hckrt.com/cdn-cgi/image/width=1000,format=auto/https://i.top4top.io/p_3418i5bta1.jpg This demonstrates the image transformation functionality with a legitimate external image source.

Modify the URL to include a test payload for SSRF: https://www.hckrt.com/cdn-cgi/image/width=1000,format=auto/http://d12qt211ps90bq4pce4gqfjqkxwihmihj.oast.site

Monitor the OAST (Out-of-Band Application Security Testing) service (e.g., Interactsh or similar) for any incoming requests. If a request is received, it confirms that the server processed the injected URL, indicating a potential SSRF vulnerability.

Impact

Potential Risks: Unauthorized access to internal network resources (if the server can make internal requests). Interaction with external services on behalf of the server, potentially bypassing IP-based restrictions. Exposure of sensitive metadata or credentials in certain configurations. Severity: Unknown without further details on the server’s network access and response behavior. Likely medium to high if internal resources are accessible.

Proof of Concept (PoC)

URL 1: https://www.hckrt.com/cdn-cgi/image/width=1000,format=auto/https://i.top4top.io/p_3418i5bta1.jpg Result: Successfully processes and transforms the image from the external source. URL 2 (SSRF Test): https://www.hckrt.com/cdn-cgi/image/width=1000,format=auto/http://d12qt211ps90bq4pce4gqfjqkxwihmihj.oast.site Result: Monitor the OAST service for HTTP/DNS interactions. A hit on the OAST domain confirms SSRF.

Mitigation Recommendations

Input Validation: Restrict the /cdn-cgi/image/ endpoint to only process whitelisted domains or internal resources. URL Filtering: Implement strict URL validation to prevent arbitrary external or internal URLs from being processed. Network Restrictions: Ensure the server cannot make requests to internal network resources or untrusted external services. Monitoring: Log and monitor all requests made by the image transformation service to detect anomalous behavior.