Server-Side Request Forgery (SSRF)- PortSwigger Labs

Lab: Basic SSRF against another back-end system

Michael Koczwara

--

SSRF Attack Lifecycle

Lab: Basic SSRF against another back-end system

Objectives:

This lab has a stock check feature that fetches data from an internal system.

To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user carlos.

Lab: Basic SSRF against another back-end system

Lab walkthrough

Lets check the application

Vulnerable App

Looks like stockAPI is making HTTP request to this IP address(localhost) 192.168.0.1

Decoded URL

Ok so lets check what kind of information we can find out and what else is running on the localhost

HTTP Request to 192.168.0.1:8080 and 400 Bad Request Response

Lets check another IP address 192.168.0.3:8080

HTTP 500 Internal Server Error Response

Ok lets capture the request and send it to the Intruder

Setting up Intruder-Positions $1$ to perform brute force attack

--

--