Introduction
The article covers SSRF with blacklist-based input filter. In this lab, we will use various techniques to solve it. The developer has set up security defenses in the lab that we will bypass.
Lab Description
In this lab, we have a stock check feature that fetches data from the internal system. To solve this lab, we need to access the admin panel’s interface through the stock check URL. After accessing the admin panel, we will need to delete Carlos’s account.
The developer has set up anti-SSRF defenses, but they are weak, so we will bypass them.
Check Out: What Is Authentication Vulnerabilities
Lab Solution
First, we will access the lab. After accessing it, we will click on any product to view its details.
After clicking on “view details,” we will enable our Burp Suite proxy and intercept the request by clicking on “check stock.”
Once we intercept the request, we will send it to the repeater and remove the “stockApi” value. Then we will add the Burp Suite Collaborator payload.
As you can see in the Collaborator tab, we have received HTTP and DNS values. This means that the parameter is vulnerable to SSRF.
Now, we will try to access the internal network through the “stockApi” value. However, the server has blocked our request due to security defenses.
Next, we will modify the value of “localhost” and check again.
When I changed the “stockApi” value to “http://127.1“, the anti-SSRF security was successfully bypassed.
In the next step, we will access the admin panel by changing the “stockApi” value to “http://127.1/admin“.
As you can see, the defense system blocked us again when we tried to access “/admin”.
I simply modified the value of “/admin” to “/Admin” to bypass security. To double encode the value of “/”, we can use “%2561”.
Finally, we deleted Carlos’s account by changing the “stockApi” value to “http://127.1/admin/delete?username=carlos“.
As you can see, we have successfully solved the lab called SSRF with blacklist-based input filter.