Through our RE:HACK - #re:educate, 0xzim from Universiti Teknologi MARA Shah Alam shared with us about an introduction to SSRF based on what he understood.
In this post, one of our wizard decided to solve all PortSwigger Web Academy SSRF labs and share the writeups with everyone. This topic will be made in three parts.
Lab 1 - Basic SSRF against the local server
URL: https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost
This lab has a stock check feature which fetches data from an internal system.
To solve the lab, change the stock check URL to access the admin interface at
http://localhost/adminand delete the usercarlos.
Solution:
Once we opened the lab’s URL, we were presented with an e-Store website.
From the lab’s description, we identified few hints:
“…lab has a stock feature…”
“…change the stock URL…”
and our task is to locate this endpoint and delete the usercarlosviaadmin's interface.
Clicking on one of the product available in the e-Store, we noticed the “Check stock” feature at the bottom of the page.
By intercepting the request using Burp Suite, we observed the request made when the “Check stock” button was clicked.
Following was the captured request:
POST /product/stock HTTP/1.1
Host: xxx.web-security-academy.net
Connection: keep-alive
Content-Length: 107
...
stockApi=http://stock.weliketoshop.net:8080/product/stock/check?productId=1&storeId=1
From here, it was obvious that the stockApi parameter was accepting arbitrary URL and returned the content on the page.
Next, we attempted to replace the stockApi value with http://localhost/admin as described in the lab’s description. The result showed that we were able to get access to the admin interface, indicating the SSRF attack was a success.
To complete the challenge, we need to delete the user carlos from the application. To do that, all we need to do is to perform a delete action against this user through the following request.
URL/admin/delete?username=carlos. We replaced the stockApi value with the delete request above and the result showed that the request was a success.
Lab 2 - Basic SSRF against another back-end system
URL: https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system
This lab has a stock check feature which fetches data from an internal system.
To solve the lab, use the stock check functionality to scan the internal
192.168.0.Xrange for an admin interface on port 8080, then use it to delete the usercarlos.
Solution:
From the description, we noted that the vulnerable endpoint was still the same as Lab 1, stockApi. However, to solve this lab, we were required to perform internal network scan against 192.168.0.X segment on port 8080. Once discovered, similar to Lab 1, we were required to delete the user carlos.
We visited the e-Store again and proceed to our Burp Suite Repeater tab once identified the vulnerable endpoint.
As we were required to perform the internal network scan, we sent the request to Burp Suite Intruder tab and set the attacking point on the stockApi value as the following:
POST /product/stock HTTP/1.1
Host: xxx.web-security-academy.net
...
stockApi=http://192.168.0.§0§:8080
We set the “Attack type” to Sniper. On the Intruder’s Payloads tab, we set the “Payload type” to Numbers. We then set the “Payload Options” - Number range from 0-255 as that’s what generally usable IP addresses exist in a /24 segment.
The “Payload Encoding” was unticked to ensure the request will not be URL-encoded during the attack.
Once everything was set, we run the attack.
From the result, we noticed there was only 1 result with a “404 Not Found” status, which was http://192.168.0.243:8080
We sent this request to our Burp Suite Repeater tab and replay it but this time with /admin path included.
It was confirmed as the right IP address as we were able to access the admin interface from it. Next, similar to Lab 1, we deleted the user carlos and completed the challenge.
POST /product/stock HTTP/1.1
Host: xxx.web-security-academy.net
. . .
stockApi=http://192.168.0.243:8080/admin/delete?username=carlos
References:
The second part of this series can be found here Part 1