Routing-based SSRF
Description
This lab is vulnerable to routing-based SSRF via the Host header. This can be exploited to access an insecure intranet admin panel located on an internal IP address.
Reproduction
Send the
GET /
request that received a200
response to Burp Repeater.In Burp Repeater, select the
Host
header value, right-click and select Insert Collaborator payload to replace it with a Collaborator domain name. Send the request.Go to the Collaborator tab and click Poll now. You should see a couple of network interactions in the table, including an HTTP request. This confirms that you are able to make the website’s middleware issue requests to an arbitrary server.
Send the
GET /
request to Burp Intruder. In Burp Intruder, go to the Positions tab and clear the default payload positions. Delete the value of theHost
header and replace it with the following IP address, adding a payload position to the final octet:
Host: 192.168.0.§0§
On the Payloads tab, select the payload type Numbers. Under Payload Options, enter the values:
From: 0
To: 255
Step: 1
Click Start attack. A warning will inform you that the
Host
header does not match the specified target host. As we’ve done this deliberately, you can ignore this message. When the attack finishes, click the Status column to sort the results. Notice that a single request received a 302 response redirecting you to/admin
. Send this request to Burp Repeater.In Burp Repeater, change the request line to
GET /admin
and send the request. In the response, observe that you have successfully accessed the admin panel.Study the form for deleting users. Notice that it will generate a
POST
request to/admin/delete
with both aCSRF
token andusername
parameter. You need to manually craft an equivalent request to delete Carlos.Change the path in your request to
/admin/delete
. Copy theCSRF
token from the displayed response and add it as aquery
parameter to your request. Also add ausername
parameter containingcarlos
. The request line should now look like this but with a different CSRF token:
GET /admin/delete?csrf=QCT5OmPeAAPnyTKyETt29LszLL7CbPop&username=carlos
Copy the session cookie from the
Set-Cookie
header in the displayed response and add it to your request.Right-click on your request and select Change request method. Burp will convert it to a POST request.
Send the request to delete Carlos and solve the lab.
Exploitability
An attacker will need to access the internal admin panel located in the 192.168.0.0/24
range, then delete Carlos. Note: To prevent the Academy platform being used to attack third parties, the firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, use Burp Collaborator’s default public server.