Skip to content

Lab Write-up: SSRF with filter bypass via open redirection vulnerability

Views: 210

This is a writeup on one of the SSRF labs by Portswigger.
https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection

You can try to produce intentional errors by providing unicode values. This cause the stock check server to return some error message. From below screenshot, we can see that the url is actually:
http://localhost:80/product/stock/check?productId=1%26storeId=12

Another thing you can play around is to decode the payload and send the request. Notice the response is returning “Missing parameter”. This is because you need to encode the ‘&’ character. Probably there is some sort of blacklist filter. Let’s learn to double encode to bypass the filter.

Another observation we can make is to look at the source code. We can see there is an open redirect in the “Next product” function. So the keyword for redirection might be ‘path’?
https://acfe1fda1fa0f12e80181f3300d500a8.web-security-academy.net/product/nextProduct?currentProductId=4&path=/product?productId=5

First attempt, we try to see if the stock check url has any open redirect. It turns out that it just return the stock value without performing any redirection. You can try other keywords like view / url / path etc. and still it will not redirect. So this doesn’t work.

Second attempt, we take the url payload from ‘Next Product’:

/product/nextProduct?currentProductId=4&path=/product?productId=5

Replace the current path value with the admin url ‘http://192.168.0.12:8080/admin’. The below screenshot shows that the redirection is successfully and we can see some of the admin functions appearing.

Now, you can exploit the SSRF vulnerability by sending a delete request using the admin URL.

Published inWalkthroughWeb Security

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *