SSRF with blacklist-based input filter

Description

This lab has a vulnerable stock check feature which fetches data from an internal system.

Reproduction and proof of concept

  1. Visit a product, click Check stock, intercept the request in Burp Suite, and send it to Burp Repeater.

  2. Change the URL in the stockApi parameter to http://127.0.0.1/ and observe that the request is blocked.

  3. Bypass the block by changing the URL to: http://127.1/

  4. Change the URL to http://127.1/admin and observe that the URL is blocked again.

  5. Obfuscate the a in admin by double-URL encoding it to %2561 to access the admin interface and delete the target user.

SSRF

Exploitability

An attacker will need to change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos. The developer has deployed two weak anti-SSRF defences that the attacker will need to bypass.