Date : 04 Mar, 2025
This lab has a stock check feature which fetches data from an internal system.
To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user carlos.
Goal
The main goal of this lab is to:
- Exploit a Server-Side Request Forgery (SSRF) vulnerability.
- Scan and identify internal IP addresses to find where an internal admin service is running.
- Access that internal admin interface through the vulnerable parameter.
- Trigger a delete request to remove the user
carlos.
What's Happening
This app has a stock check feature that takes a user-supplied URL (stockApi), and makes a server-side request to fetch stock info.
Since the server trusts internal IP addresses, but you can't access them directly from your browser, SSRF lets you force the server to make those internal calls for you.
STEPS :
- Visit a product, click Check stock, intercept the request in Burp Suite, and send it to Burp Intruder.
- Change the
stockApiparameter tohttp://192.168.0.1:8080/adminthen highlight the final octet of the IP address (the number1) and click Add §. - In the Payloads side panel, change the payload type to Numbers, and enter 1, 255, and 1 in the From and To and Step boxes respectively.
- Click Start attack.
- Click on the Status column to sort it by status code ascending. You should see a single entry with a status of
200, showing an admin interface. - Click on this request, send it to Burp Repeater, and change the path in the
stockApito:/admin/delete?username=carlos
Summary
This lab teaches you how SSRF vulnerabilities can be used not just to access internal services, but also to scan internal networks (like 192.168.x.x) to discover sensitive systems running on private IPs, and then interact with them.
This simulates a common real-world scenario where an attacker maps and attacks internal infrastructure via SSRF.