# humand-main-api — SSRF via database-configured external endpoint URLs
STATUS: DRAFT
program: humand | platform: huntr | repo: HumandDev/humand-main-api | commit: bb975d08cc

````
Repository URL: https://github.com/HumandDev/humand-main-api
Package Manager: npm
CVSS: Attack Vector: Network
Title: humand-main-api — SSRF via database-configured external endpoint URLs
Description:

## huntr Form Fields

```
Package Manager: npm
Version Affected: latest (commit bb975d08cc)
Vulnerability Type: Server-Side Request Forgery (SSRF)
CVSS:
  Attack Vector: Network
  Attack Complexity: Low
  Privileges Required: High
  User Interaction: None
  Scope: Changed
  Confidentiality: High
  Integrity: Low
  Availability: Low
Title: External endpoint invocation allows server-side requests to attacker-controlled/internal URLs
```

### Description

# Description

The external endpoint service performs server-side HTTP requests to URLs stored in database configuration, with no allowlist or internal-network blocking controls described at the sink.

When an attacker can influence endpoint configuration (e.g., admin misuse or chained SQLi), they can force the server to request internal resources such as:

- `http://169.254.169.254/latest/meta-data/`
- `http://localhost:<port>/...`
- private RFC1918 services

This is a classic SSRF primitive and can be combined with custom headers for deeper internal abuse.

# Proof of Concept

1. Configure an external endpoint URL to a controlled collaborator domain or internal target.
2. Trigger endpoint invocation through normal product flow.
3. Observe inbound request at collaborator service (or internal side effects) from server IP.

Example malicious endpoint URL:

```text
http://169.254.169.254/latest/meta-data/iam/security-credentials/
```

Verification-first approach:

```text
https://<attacker-collaborator-domain>/humand-ssrf-probe
```

Expected vulnerable behavior: backend initiates outbound HTTP request to attacker-supplied/internal address.

### Impact

SSRF can expose cloud metadata credentials, enumerate internal services, and provide a pivot path to otherwise unreachable infrastructure. Combined with environment/header leakage paths, blast radius increases significantly.

### Occurrences

```
Permalink: https://github.com/HumandDev/humand-main-api/blob/bb975d08cc/src/api/services/externalEndpoints.ts#L68-L78
Description: invokeExternalEndpoint sends requests to DB-configured URL with dynamic method/headers

Permalink: https://github.com/HumandDev/humand-main-api/blob/bb975d08cc/src/api/services/externalEndpoints.ts#L18-L36
Description: endpoint lookup uses DB-provided endpointName/method/URL configuration
```

### References

```
URL: https://cwe.mitre.org/data/definitions/918.html
Name: CWE-918: Server-Side Request Forgery (SSRF)

URL: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
Name: OWASP SSRF Attack

URL: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
Name: OWASP SSRF Prevention Cheat Sheet
```
````