PortSwigger's "Basic SSRF against the local server" Walkthrough
This is a writeup for the “basic SSRF against localhost” lab from PortSwigger Academy. For this walkthrough, you’ll need to have Burp Suite set up, as well as a Portswigger Academy account.
Log in to your Academy account and then view the lab at https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost. This is accessible from the “all labs” view or from the SSRF page.
Challenge Information
Click the “Access the Lab” button and you will be taken to a temporary website that is created for your account. This will be in format https://<random string here>.web-security-academy.net/.
SSRF, or Server Side Request Forgery, is a way of tricking the server into sending requests on your behalf such as to an internal host that would otherwise not be accessible to you.
For this lab, we need to make a request to the /admin endpoint of the website running internally, available at http://localhost/.
Here’s the website, a generic shopping site again:
If you click on a product, then scroll to the bottom, you’ll see a stock checker:
Make sure you have Burp Suite open and your proxy running. Then click the button to check the stock.
You should be able to see the request in Burp Suite:
Right-click and send it to the Repeater for modification in future steps.
At the bottom of the request, we see the stockApi data which is URL encoded. Highlight the value (from http to 3D1) and right-click, then select send to Decoder.
Click “Smart decode” and you can see the original request in a more readable format:
The original value is:
http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D5%26storeId%3D1The URL decoded value is:
http://stock.weliketoshop.net:8080/product/stock/check?productId=5&storeId=1To make a request to localhost, we’ll need to encode all the punctuation characters (:, /, etc) with URL encoding.
Lab Solution
To make a request to http://localhost/admin instead, we will first need to URL encode our value. There’s not an easy way of just URL encoding : and / but you can use a tool like CyberChef to get this value:
http%3A%2F%2Flocalhost%2Fadmin
Replace that in the request that you sent to the Repeater, as the new stockApi value:
The response back is the admin portal!
Check the HTML to figure out what request we need to make next, in order to delete Carlos’ account:
Now we need to make a POST request to:
http://localhost/admin/delete&username=carlosIn URL encoded format, with the stockApi parameter, this looks like:
stockApi=http%3A%2F%2Flocalhost%2Fadmin%2Fdelete%3fusername%3dcarlosMake another request with the updated stockApi value, and then check your browser, where you should receive credit for solving the lab:
