Date : 04 Mar, 2025

This lab has a stock check feature which fetches data from an internal system.

To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.

The developer has deployed two weak anti-SSRF defenses that you will need to bypass.

ACCESS THE LAB

Objective:

Exploit a Server-Side Request Forgery (SSRF) vulnerability to access an internal admin interface and delete the user carlos, even though the app tries to block access to internal URLs.

STEPS:

1. Visit a product, click "Check stock", intercept the request in Burp Suite, and send it to Burp Repeater.
2. Change the URL in the stockApi parameter to http://127.0.0.1/ and observe that the request is blocked.
3. Bypass the block by changing the URL to: http://127.1/
4. Change the URL to http://127.1/admin and observe that the URL is blocked again.
5. Obfuscate the "a" by double-URL encoding it to %2561 to access the admin interface and delete the target user.

Summary :

Bypass server-side filters that:

• Block internal IPs like 127.0.0.1
• Block specific paths like /admin

Key Takeaways:

• 127.1 is a valid alias for 127.0.0.1
• Double URL encoding (e.g., %2561) bypasses naive filters
• Input validation can be circumvented if not done properly
• SSRF is dangerous when it can reach internal services not meant for users