Lab: SSRF with Blacklist based Input Filter

Some application try to prevent SSRF attacks by blacklisting requests containing certain keywords. This could be a good defense if done correctly however if done loosely it could still easily be bypassed.

I begin the lab by accessing the website as usual, I choose a random product and find a stock check feature:

Such features usually use an API call to the webserver which can be manipulated to get the server to believe request for its admin page is coming from local network so it would authenticate the user.

 

And I was correct in my assumption. I send the request to Repeater to further investigate and see what I can do.

I try to get the admin page by replacing the URL with `http://localhost/admin`

 

But that doesn't really go through, so I guess the keyword 'localhost' is being blocked. I'm assuming that they would also have blocked '127.0.0.1', so I try a few other like '127.1', '2130706433', etc but all give the same output.

I am tempted to look for a fuzzing list for URLs but I try one last time by replacing the 'http' with 'https'.

  

Well that doesn't work either, so I try by obfuscating the keywords with URL encoding.

 

It leads to another failure, so I try by switching the case and encoding the whole string with URL encoding.

 

I try this on the stockApi URL and I finally get a success!

 

So I craft a request to delete the user carlos, this is usually just appending `/delete?username=carlos` at the end of the admin page URL.

I verify by calling admin page on the main page again.