thelightfinder

  Lab 3: SSRF with blacklist-based input filter Task :  This lab has a stock check feature which fetches data from an internal system.  To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.  The developer has deployed two weak anti-SSRF defenses that you will need to bypass. This Lab is just like the previous ones except that we need to bypass blacklist filters. This is what a normal request to the stock check feature looks like: Passing http://localhost/admin to the stockApi parameter does not work this time. we get this response: That's the filter blocking us. It turned out 127.0.0.1, localhost, admin are all blacklisted so cannot be used. So after trying a couple things the following was able to bypass the filter: We get the following response: So to complete the Lab we just proceed to delete carlos. And that's it Lab solved.

  Lab 2: Basic SSRF against another back-end system Task :  This lab has a stock check feature that fetches data from an internal system. To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user Carlos. This Lab is just slightly different from the previous lab , we need to use the SSRF vulnerability to scan the internal server and find the right host serving a web app on port 8080 and then delete the user Carlos. The stock check functionality remains the same as in the previous lab: The stock check URL is now different, pointing to an internal non-routable IP address. Using Burp Intruder we brute force and found the host at 192.168.0.170 . We then send a request to delete the user Carlos. And that's it we solved the lab. All of these labs feel too easy so am gonna skip the write-up on the easy ones from this point forward, otherwise, I feel I won't make significant progress. I