Basic SSRF against the local server | Dec 24, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: Basic SSRF against the local server! Without further ado, let’s dive in.

This lab has a stock check feature which fetches data from an internal system.

To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.

Home page:

Let’s view one of those products detail:

In here, we can see that users are allowed to check the stock.

Let’s click the Check stock button, and intercept the request via Burp Suite:

When we clicked the Check stock button, it’ll send a POST request to /product/stock, with parameter stockApi and it’s value is interesting:

URL decoded:

http://stock.weliketoshop.net:8080/product/stock/check?productId=1&storeId=1

As you can see, it’s sending a request to an internal API.

What if I change the domain to localhost, and forward the request?

Oh! It displays the home page, and it has an admin panel!

Armed with above information, it’s clear that this check stock function is vulnerable to Server-Side Request Forgery(SSRF)!

However, when we clicked the admin panel link:

It’s only available to adminsitrator or request from localhost!

Let’s change our SSRF payload to http://localhost/admin!

We can see the admin panel! Let’s try to delete user carlos!

Again, we need to do it from the SSRF payload:

http://localhost/admin/delete?username=carlos

We did it!