SSRF Notes: An unexpected journey


This will InshaAllah be the beginning of a series of posts on my Server Side Request Forgery SSRF research journey. Why SSRF? Well, I recently came across the 3-Months Microsoft Azure SSRF research challenge and because I strongly believe there are a lot of uncharted areas in SSRF research, I decided to partake and who knows maybe I might earn myself a little bounty along the way :).

Game Plan

Currently, the plan is simple, get myself up to speed with the current state of the art in SSRF research by solving CTFs and freely available Lab challenges to gather some intuition and then move on to asking questions with regards to the current limitations of known exploit techniques, hopefully, I will stumble on something new. I will start with Solving Portswigger Web Security Academy Labs in this post and then other CTF challenges in the subsequent posts.

PS: most of the posts on SSRF will be fast-paced it's just meant to serve as self notes for reference and to organize my thoughts


Task: This lab has a stock check feature that fetches data from an internal system.
To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user Carlos.

So we need to delete the user Carlos using the SSRF vulnerability in the check stock URL, selecting the first stock, we are greeted with the following functionality:


Using the functionality and intercepting the request in Burp, we see this:


The stockApi parameter in the post request takes a URL which should be a stock check URL, let's see what happens when we allow the request through, without any modifications



We get a response from the server with the available stock count. All is good so far, now let's change the URL to localhost and see the response


Changing the stockApi parameter to localhost we get the following response:


Easy, we get the response with the admin interface and we can see the delete functionality, so let's go on to delete Carlos



Sending the above request. we get the response that we've solved the lab. This is probably the easiest SSRF vulnerability we will ever solve :).







Comments

Popular posts from this blog

Before You Dive In...

OverTheWire: Bandit Lab

SSRF Notes: PortSwigger Labs Continued