SSRF
Lab#: Basic SSRF against the local server
Guys 👋, let’s go through this really quick. This is an SSRF lab on PortSwigger Academy. This lab has a stock check feature that fetches data from an internal system. The task is to solve the lab by changing the stock check URL to access the admin interface at http://localhost/admin and delete the user Carlos. Let’s get started.
End Goal:
- Access the admin panel and delete the user carlos.
What is SSRF🤔
Server-side request forgery is a web security vulnerability that allows an attacker to cause the server-side application to make requests to an unintended location.
Testing for vulnerabilties
- Let’s check the functionality of the web app.
- There are many products listed in the web app. Let’s visit a product and click “Check Stock.” In Burp, let’s check each request we make. Check the Proxy tab, and we can see our request. Let’s send it to the Repeater tab.
- Let’s modify the value of the stockApi parameter to
http://localhost/admin or http://127.0.0.1/admin. This will display the admin interface.
- Modifying the request gets us to the admin interface. Reading the HTML, we can see the URL to delete the target user, which is:
http://127.0.0.1/admin/delete?username=carlos. Let’s submit this URL as the value in the stockApi parameter, and we solve the lab.
That’s all, friends. Thank you for reading up to this point. I would like to hear your feedback on anything not clear here. Here is my Twitter account @T3chnocr4t. Feel free to DM me if you have any issues with my write-up. Thanks!