ALL PortSwigger SSRF Labs: Server-side request forgery | WalkThrough
Introduction
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.
In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.
Target — Lab 1 [Basic SSRF against the local server]
This lab has a stock check feature which fetches data from an internal system.
To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.
Detection
→ A third party website is being used to check stocks.
Exploitation
Testing basic SSRF against the local server. and we can see /admin page.
After accessing the /admin page we can delete users who already exists.
Target — Lab 2 [Basic SSRF against another back-end system]
This lab has a stock check feature which fetches data from an internal system.
To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user carlos.
Detection
First we have to find out the IP address of back-end database.
Send this request to intruder.
Exploitation
curl -i -XPOST -d “stockApi=http%3A%2F%2F192.168.0.208%3A8080%2Fadmin” — cookie “session=R9DFRARXyUaMgM0sT6TeDEMSUyEkGt14” https://ac771f411fe5ced6c08396df003900d7.web-security-academy.net/product/stock
curl -i -XPOST -d "stockApi=http%3A%2F%2F192.168.0.208%3A8080/admin" --cookie "session=R9DFRARXyUaMgM0sT6TeDEMSUyEkGt14" https://ac771f411fe5ced6c08396df003900d7.web-security-academy.net/product/stockWe can see here , the application server is able to interact with other back-end systems that are not directly reachable by users. Here we can access the /admin page and use it to delete the user carlos.
Target — Lab 3 [SSRF with blacklist-based input filters]
This lab has a stock check feature which fetches data from an internal system.
To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.
The developer has deployed two weak anti-SSRF defenses that you will need to bypass.
Detection
Detection of the SSRF is same as the first Lab but here there are some SSRF defenses.
Blacklist
127.0.0.1
localhost
adminwe have to make our payload in 2 parts. First one is the IP part and second one is /admin part.
First Part of our payload
Using an alternative IP representation of
127.0.0.1, such as2130706433,017700000001, or127.1.
using Cluster-Bomb attack,
RESULT:
Many of them passed the test cases. We can use any one of them to complete this lab.
Exploitation
Target — Lab 3 [SSRF with whitelist-based input filter]
This lab has a stock check feature which fetches data from an internal system.
To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.
The developer has deployed an anti-SSRF defense you will need to bypass.
Detection
Detection is same as of the first part.
Here this website is wanting the requests to include this ‘stock.weliketoshop.net’.
Exploitation
Bypass Methods
Adding “@” character
You can embed credentials in a URL before the hostname, using the @ character.
Result: FAILED
Adding "#” character
You can use the # character to indicate a URL fragment.
Result: FAILED
Using both the above methods
Result: Passed
