SSRF
Lab:# SSRF attacks against other back-end systems
Let’s go through this, guys. This is a Web Security Academy lab on SSRF attacks against other back-end systems. This lab has a stock check feature which fetches data from an internal system. Our task is to solve the lab by using the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, and then use it to delete the user Carlos.
End Goal:#
- Access the admin panel and delete user carlos
Testing For VUlnerabilities:#
- Let’s check the functionality of the web app.
- There are many products listed in the web app. Let’s visit a product and click “Check Stock.” In Burp, let’s check each request we make. Check the Proxy tab, and we can see our request. Let’s send it to the Repeater tab.
- Modify the stockApi parameter to
http://192.168.0.x:8080/adminand send it to the Intruder tab. Highlight the x in the stockApi parameter in Intruder under the Positions tab. We can see that the x is automatically set as a payload position, indicated by two § symbols. Select the attack type as Sniper.
- After that, go to the Payloads tab and make sure that the number payload type is selected. Enter a range from 1 to 256, and then start the attack.
- When the attack is complete, go to the Results tab and check the Length column. Notice that one of the entries is longer than the others, and only one status code is different, which is 200. Showing and admin interface.
- Send it to the Repeater tab and specify the URL path in the stockApi parameter to delete the user Carlos
That’s all, friends. Thank you for reading up to this point. I would like to hear your feedback on anything not clear here. Here is my Twitter account @T3chnocr4t. Feel free to DM me if you have any issues with my write-up. Thanks!