[This lab](https://0a8900ef03dece6c818b16c3003f0081.web-security-academy.net/) demonstrates a **basic Server-Side Request Forgery (SSRF)** vulnerability where an application fetches server-side resources based on user input without proper validation. Our goal is to abuse the stock checking feature to **access an internal admin panel** and **delete the user `carlos`**. --- #### 1. Recognize the Stock Check Mechanism - Navigated to a product page. - Found a **"Check stock"** button — this triggers a backend request (likely passing a `stockApi` parameter). - Direct access to `/admin` via browser returns a **403 Forbidden** (expected — client-side blocked). --- #### 2. Capture and Manipulate the Request - **Intercepted** the stock check request in **Burp Suite**. - Example request: ```http POST /product/stock HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 81 stockApi=http://stock.weliketoshop.net/product/stock/check?productId=1 ``` - **Sent to Repeater** for easier testing. --- #### 3. Modify `stockApi` Parameter - **Changed `stockApi`** to point to the internal admin panel: ```http stockApi=http://localhost/admin ``` - **Response:** HTML of the admin panel loaded! 💥 ![[CleanShot 2025-04-27 at 20.42.17.png]] --- #### 4. Locate the Deletion Endpoint - In the HTML, spotted something like: ```html <a href="/admin/delete?username=carlos">Delete user carlos</a> ``` - The app expects a `GET` request to `/admin/delete?username=carlos`. ![[CleanShot 2025-04-27 at 20.42.55.png]] --- #### 5. SSRF to Trigger User Deletion - Crafted the **final payload**: ```http stockApi=http://localhost/admin/delete?username=carlos ``` - Sent the request. - Lab confirmed as **Solved** ✅. --- #### Technical Breakdown |Component|Description| |---|---| |**Vulnerability**|Server-Side Request Forgery (SSRF)| |**Root Cause**|User input (`stockApi`) directly used in a server-side fetch, no validation on destination| |**Impact**|Internal resources accessible, potentially escalating to full server control| |**Defense**|Whitelist external domains, validate/normalize URLs, avoid trusting user input| **Analogy:** Think of SSRF like a gullible assistant: you tell them “go fetch this file,” and they will even go into the **boss’s private office** if you phrase it cleverly enough.