Bypassing-SSRF-filters-via-open-redirection
Bypassing SSRF filters via open redirection​
It is sometimes possible to circumvent any kind of filter-based defenses by exploiting an open redirection vulnerability.
In the preceding SSRF example, suppose the user-submitted URL is strictly validated to prevent malicious exploitation of the SSRF behavior. However, the application whose URLs are allowed contains an open redirection vulnerability. Provided the API used to make the back-end HTTP request supports redirections, you can construct a URL that satisfies the filter and results in a redirected request to the desired back-end target.
For example, suppose the application contains an open redirection vulnerability in which the following URL:
/product/nextProduct?currentProductId=6&path=http://evil-user.net
returns a redirection to:
http://evil-user.net
You can leverage the open redirection vulnerability to bypass the URL filter, and exploit the SSRF vulnerability as follows:
POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded Content-Length: 118 stockApi=http://weliketoshop.net/product/nextProduct?currentProductId=6&path=http://192.168.0.68/admin
This SSRF exploit works because the application first validates that the supplied stockAPI
URL is on an allowed domain, which it is. The application then requests the supplied URL, which triggers the open redirection. It follows the redirection, and makes a request to the internal URL of the attacker's choosing.
Challenge​
--> In this challenge we have to find the open redirection vulnerability and escalate it to SSRF
We have ip address given which is http://192.168.0.12:8080/admin
--> i was playing with stockApi
but i was unable to find the open redirect and after some time i decided to see other requests And i found that when we click on next post
the request looks like this :
GET /product/nextProduct?currentProductId=2&path=/product?productId=3
Here we have path
parameter in which i tried to write https://google.com
and boom i got the open redirect!
--> After that i tried to change it with http://192.168.0.12:8080/admin
but the page was keep loading so that means it can't find the page!
So after that i tried to put something like this in stockApi
value and encoded it with url encode.
/product/nextProduct?currentProductId=2&path=http://192.168.0.12:8080/admin/delete?username=carlos
So final request looks like this:
And we solved the lab!