Burp Suite User Forum

Create new post

Lab: SSRF with whitelist-based input filter

Ahmed | Last updated: Apr 02, 2024 01:18AM UTC

This is what I have reached so far for what happening when I provide the payload URL: http://localhost:80%2523@stock.weliketoshop.net/admin/ 1. decode the URL * http://localhost:80%23@stock.weliketoshop.net/admin/ 2. parse the URL checking for the host * username: `localhost` * password: `80%23` * host: `stock.weliketoshop.net` * path: `admin` 3. decode again (weird action) * http://localhost:80#@stock.weliketoshop.net/admin/ 4. parse to get host and path (maybe to remove the username if exist) * host: `localhost` * port: `80` * path:`admin` 5. curl to the URL * host: `localhost` * port: `80` * path: `admin` * fragment:`@stock.weliketoshop.net` What I don't understand is why it will decode the URL twice? If I'm wrong please correct me

Ben, PortSwigger Agent | Last updated: Apr 02, 2024 08:42AM UTC

Hi Ahmed, As noted in the learning material (https://portswigger.net/web-security/ssrf) some servers recursively URL-decode the input they receive and you can use this to confuse the URL-parsing code.

Ahmed | Last updated: Apr 03, 2024 02:46AM UTC

Okay thanks

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.