Basic SSRF against the local server
https://portswigger.net/web-security/learning-paths/server-side-vulnerabilities-apprentice/ssrf-apprentice/ssrf/lab-basic-ssrf-against-localhost
Last updated
https://portswigger.net/web-security/learning-paths/server-side-vulnerabilities-apprentice/ssrf-apprentice/ssrf/lab-basic-ssrf-against-localhost
Last updated
This lab has a stock check feature which fetches data from an internal system.
To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.
Every product has a dedicate check function to retrieve if a product is availble or not:
value="http://stock.weliketoshop.net:8080/product/stock/check?productId=1&storeId=1"
clicking to "Check stock" button we obtain the number of pieces in stock
We can change the stock check URL to access the admin interface inseriting the stockApi value selecting it and updating it into Inspector field at http://localhost/admin
In this way we're able to access in the admin panel via a SSRF, and checking into the reponse there're links for deleting users Wiener and Carlos:
The scope of the lab is to delete Carlos user, we can do it inserting the deletion link into stockApi value and solving the lab:
