| Field | Value |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | SSRF — Loopback Access to Admin Interface |
| Difficulty | Apprentice |
| Objective | Use the stock check URL to reach http://localhost/admin and delete the user carlos |
Basic SSRF Against the Local Server — Writeup¶
Initial Observation¶
Intercepting the stock check request reveals a stockApi parameter containing a URL:
stockApi=http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D1%26storeId%3D1
URL-decoded:
stockApi=http://stock.weliketoshop.net:8080/product/stock/check?productId=1&storeId=1
The server is fetching this URL and returning the result. We control the URL — so we control where the server makes its request.
Reaching the Admin Interface¶
Replacing the stockApi value with http://localhost/admin:
200 OK — the admin panel comes back in the response. Access controls on the admin interface check where the request originates from, and a request from localhost is implicitly trusted. From the outside we'd get a 403 or redirect to login — from loopback, the door is open.
The admin panel shows the delete endpoint. Sending:
stockApi=http://localhost/admin/delete?username=carlos
carlos deleted... You will notice that carlos it's going to get bullied all across this ssrf series,