PortSwigger Lab: SSRF with filter bypass via open redirection vulnerability
Task
This lab has a stock check feature which fetches data from an internal system.
To solve the lab, change the stock check URL to access the admin interface at http://192.168.0.12:8080/admin and delete the user carlos.
The stock checker has been restricted to only access the local application, so you will need to find an open redirect affecting the application first.
Attempt
On each product page you can check a stock. Upon clicking ‘check stock’ the post request was sent to ‘/product/stock’ with the referrer Referer: https://ID.web-security-academy.net/product?productId=1 and stockApi stockApi=%2Fproduct%2Fstock%2Fcheck%3FproductId%3D1%26storeId%3D1. This is url encoded so I put this into Decoder and the result is /product/stock/check?productId=1&storeId=1. I directly rewrote the url but failed, "Invalid external stock check url 'Invalid URL'".
Clicking next product sent a GET request to this url /product/nextProduct?currentProductId=1&path=/product?productId=2. This would redirect me to Location: /product?productId=2 so the url under the path parameter could be vulnerable to open redirect.
Since directly changing the url to an internal one didn’t work, I gave /product/nextProduct?path=http://192.168.0.12:8080/admin to the stock api.
In the response I found the user delete feature:
<div>
<span>carlos - </span>
<a href="/http://192.168.0.12:8080/admin/delete?username=carlos">Delete</a>
</div>
Adding /delete?username=carlos to the url and sent again. This deleted the user and solved the lab.