Code Room
On-callHardoc-g369
Subject Security incidentsLevel Senior–Staff~45 minCommon in Security · Reliability & on-call interviewsIndustries Software development, Technology

Question

Your 'import from URL' feature (a server-side **PDF/HTML renderer** that fetches a user-supplied link) has an allowlist blocking `169.254.169.254` and RFC1918 ranges. A bug-bounty report shows it was bypassed: the attacker supplied a URL on their own domain that returns an HTTP **302 redirect** to `http://169.254.169.254/latest/meta-data/iam/security-credentials/`, and the renderer followed the redirect (the allowlist only checked the *original* URL, not the redirect target). CloudTrail now shows the renderer host's instance role used from an external IP. How do you triage the blast radius, contain it, and fix the SSRF properly?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.