SSRF Notes: PortSwigger Labs Continued
Lab 3: SSRF with blacklist-based input filter
Task: This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos. The developer has deployed two weak anti-SSRF defenses that you will need to bypass.
This Lab is just like the previous ones except that we need to bypass blacklist filters. This is what a normal request to the stock check feature looks like:
Passing http://localhost/admin to the stockApi parameter does not work this time. we get this response:
That's the filter blocking us. It turned out 127.0.0.1, localhost, admin are all blacklisted so cannot be used. So after trying a couple things the following was able to bypass the filter:
And that's it Lab solved.
waiting to see more complex write-up
ReplyDeletethose are definitely on their way
Delete