SSRF with filter bypass via open redirection vulnerability

efran
3 min readJan 11, 2021

--

Explanation of the lab : This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://192.168.0.12:8080/admin and delete the user carlos. However, the stock checker is restricted to only access the local application, so you need to find an open redirect vulnerability in the application that can be leveraged to desired URL.

What is Open Redirection Vulnerability?

An open redirect occurs when an application takes a parameter and redirects a user to that parameter value without any conducting any validation on the value. How can we find that vulnerability?

Redirection is our keyword. An HTTP redirect uses a message with a 3xx status code and Location header specifying the target of the redirect. There are various techniques to detect this vulnerability. Ihave mentioned the starting point, and I would like to also emphasize the importance of Preventing Open Redirection Vulnerabilities.

  1. The most effective way is to not include untrusted ( user — supplied ) data into the target of a redirect.
  2. Remove the redirecion page from the application and replace links to it with direct links.
  3. It is kind of white-listing. First, create a list of all URLs that the application will redirect to. Instead of passing the target URL as a parameter to the redirect page pass an index taht corresponding to the desired URL in the list.
  4. The application should use URLS relative to the web root for all its redirects, and the redirect page should prepend http://YOUR_DOMAIN.com to all (untrused)user-supplied URLs before issuing the redirect. If the user-supplied URL does not begin with a / (slash), it should instead be prepended with http://YOUR_DOMAIN.com

Let’s jump into the LAB and take a look what we learned.

I intercepted the Stock Check request and sent it to repeater.

I saw a next product button and intercepted that request.

Here is 302 Redirection, with Location Header. I changed the path with “asadasdad” see the exactly same on the response. Let’s get rid of currentProductId

GET /product/nextProduct?path=/product?productId=4 HTTP/1.1 If we follow redirection, it redirected me to /product?productId=4

Let’s let it redirect to http://192.168.0.12:8080/admin.

We have done with Open Redirection. Let’s use the knowledge of SSRF. Change the stockApi with the /product/nextProduct..

We reach out to admin panel. Also it is obvious what the next step is.

Hit me up if you have noticed something is not correct or want to add extra information. I would be thankful.

--

--

Responses (1)