Lab Description
So, today we will be solving the 4th lab of SSRF filter bypass via open redirection vulnerability.
This lab has a stock check feature that fetches data from the internal system. To solve the lab, we need to access the admin interface via the stock check URL and delete the user “Carlos”.
To access the stock checker, we need to search for an open redirect vulnerability in the website or web application since it is only accessible to local users. This vulnerability can help us bypass the Server-side Request Forgery filter.
Check Out: What Is Authentication Vulnerabilities
Lab Solution
As always, first, we will access the lab and click on the “View details” of any product.
As you can see, there are three options on this page – “Check stock”, “Return to list”, and “Next product”.
Now, we will intercept the request of the “Next product” option using Burp Suite.
After intercepting, the request will look something like this in Burp Suite. As you can see, there is a “path=/product?productId=2” parameter in the request.
Now, we need to test whether this path is vulnerable to SSRF or not. For this, we will insert a payload from the Burp Collaborator.
After executing the payload, we will receive DNS and HTTP requests in Burp Suite. This means that the path is vulnerable to SSRF.
Next, we will intercept the request of the “Check stock” feature using Burp Suite and send it to the repeater.
in the above screenshot we can see the intercepted request that we send to repeter.
If you remember our last request, we modified it and confirmed the SSRF. Now, we will copy the path of that request.
After copying the path, we will insert it into the stock API request. We are exploiting the SSRF through an open redirect vulnerability.
In the last request, we received a bad request because we did not encode the stockApi value. You can encode it by pressing Ctrl+U. when you encode your payload i will work.
http://192.168.0.12:8080/admin
Now, we have accessed the admin panel at http://192.168.0.12:8080/admin. Replace the Burp Collaborator payload with “localhost:8080/admin”.
In the final step, we need to delete the account of “Carlos”. To do this, type “delete?username=carlos” after “/admin”.Execute the request and the Carlos account will be deleted.
We successfully solved the lab SSRF filter bypass via open redirection vulnerability has been solved.
To continue studying check out the next lab i.e. Blind SSRF With Out-Of-Band Detection, cover the current lab before visiting the next lab. Good Luck!