Server-Side Request Forgery Vulnerability Discovered in OopsSec Store Support Form

7 Feb 2026

SSRFvulnerabilitysecurityweb-securityserver-side-request-forgeryexploitinternal-accesslocalhostcybersecuritypenetration-testing

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the OopsSec Store support form. The flaw allows an attacker to exploit the "Screenshot URL" field to force the server to fetch arbitrary URLs and return their content. The server performs a fetch() on the provided URL without validation, allowing access to internal resources that are normally protected. The exploitation consists of submitting the URL http://localhost:3000/internal via the form, thus bypassing direct access restrictions that redirect to the home page. The flag OSS{s3rv3r_s1d3_r3qu3st_f0rg3ry} is retrieved from this internal page. Recommended corrective measures include validation of HTTP/HTTPS protocols, blocking localhost addresses and private IP ranges (10.x, 172.16-31.x, 192.168.x), using a whitelist of authorized domains, and sanitizing responses before display.