Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: SSRF via flawed request parsing

jfschoellkopf | Last updated: Feb 27, 2023 01:01AM UTC

Hello. I am very confused with this lab. I originally thought I was doing this lab correctly but when I ran my intruder attack the status codes and content length were all the same indicating that none of my requests has the IP which gave me access to the admin page. Here are the following steps I have taken: 1. capture the regular GET / request of the application. 2. Changed the GET request to look like the following: GET https://0a910076048ea071c263849800540025.web-security-academy.net/ HTTP/1.1 Host: bapohhsvk3ueqmvn68w568romfs6gw4l.oastify.com And the response was the following: HTTP/1.1 200 OK Server: Burp Collaborator https://burpcollaborator.net/ X-Collaborator-Version: 4 Content-Type: text/html Connection: close Content-Length: 55 <html><body>5zl36k023o0xt3dip2vd8nzjjgigz</body></html> 3. I hit poll now in collaborator and I was the returned with an HTTP request. 4. I switched back to repeater and sent this request to intruder 5. I made sure my payload looked like this: GET https://0a910076048ea071c263849800540025.web-security-academy.net/ HTTP/1.1 Host: 192.168.0.$0$ *The dollar signs are where I made my payload position for the request* 6. I made sure my payload type was numbers, from 0 to 255 step 1 7. I ran the attack and then all my requests returned the same 200 OK status code with the same response. I am not sure where I have gone wrong and would love some assistance. Thank you. Also I am attempting the lab with my burp pro if that matters.

jfschoellkopf | Last updated: Feb 27, 2023 01:06AM UTC

Also I know you guys cannot provide support or tutoring for the labs. I am just wondering if this is a user error or if there is something wrong with the lab.

Ben, PortSwigger Agent | Last updated: Feb 27, 2023 10:49AM UTC

Hi, If you are using a later version of Burp then you would need to make sure that you uncheck the 'Update host header to match target' checkbox within the Positions tab in your Intruder attack (otherwise the Host header that you have configured will be being overwritten by the value within the Target field). The following screenshot illustrates this for you: https://snipboard.io/QCJwlO.jpg

jfschoellkopf | Last updated: Feb 27, 2023 02:46PM UTC

Woah I did not even notice that on the positions tab. Thank you so much and now I was able to solve the lab.

Mahendra | Last updated: Apr 10, 2023 10:03AM UTC

Hi, I have followed the above steps however I do not get status code or response for any requests made in attack. Thanks Mahendra

Ben, PortSwigger Agent | Last updated: Apr 10, 2023 10:33AM UTC