Burp Suite User Forum

Login to post

[SPOILER] "Lab: SSRF with whitelist-based input filter" explanation?

Jorrit | Last updated: Jul 21, 2021 11:12PM UTC

Hi! I do not understand why the payload "http://localhost%2523@stock.weliketoshop.net/admin/delete?username=carlos" works in this lab. I think I understand this part: The filter only URL decodes a single time, which makes the username localhost%23, which is still accepted by the filter. The code that handles the backend request recursively URL decodes which make the requested URL: http://localhost#@stock.weliketoshop.net/admin/delete?username=carlos" Please correct me if I did not explain it correctly. The part I do not understand is how the path /admin/delete?username=carlos gets appended to http://localhost to get http://localhost/admin/delete?username=carlos Can someone please explain this to me? Thank you! Kind Regards, Jorrit Wegman

Uthman, PortSwigger Agent | Last updated: Jul 22, 2021 09:23AM UTC

'http://localhost#@stock.weliketoshop.net/admin/delete?username=carlos' and 'http://localhost%2523@stock.weliketoshop.net/admin/delete?username=carlos' look different to the server. You will notice that the second is double URL-encoded and this results in a 500 internal server error, whilst the former request results in a 400 response. The lab is essentially telling you that '#' is parsed differently when it is double URL-encoded as %2523. '/admin/delete?username=carlos' is just added to access the admin console and delete the user.

Jorrit | Last updated: Jul 22, 2021 11:25AM UTC

Thank you for the response. I understand why /admin/delete is added, but I do not understand how it's still in the path even though it is place after the '#' character.

Uthman, PortSwigger Agent | Last updated: Jul 23, 2021 08:40AM UTC

Since the username is only parsed when the '#' is double-URL encoded, the URL becomes http://localhost:80/admin/delete?username=carlos The server extracts the hostname and validates it against a whitelist so http://localhost%2523@stock.weliketoshop.net/admin/delete?username=carlos becomes http://localhost:80/admin/delete?username=carlos to the server. Unfortunately, we do not provide 1-1 support for the academy but this post will remain up if anyone else wants to contribute with some further input!

Harshit | Last updated: Jul 24, 2021 04:07AM UTC

I think there is another filter that strips everything from %25 until it sees / and the reaming part concatenates, which leads to http://localhost/admin.

Harshit | Last updated: Jul 24, 2021 04:07AM UTC

I think there is another filter that strips everything from %25 until it sees / and the reaming part concatenates, which leads to http://localhost/admin.

Harshit | Last updated: Jul 24, 2021 04:07AM UTC

I think there is another filter that strips everything from %25 until it sees / and the reaming part concatenates, which leads to http://localhost/admin.

Harshit | Last updated: Jul 24, 2021 04:07AM UTC

I think there is another filter that strips everything from %25 until it sees / and the reaming part concatenates, which leads to http://localhost/admin.

You need to Log in to post a reply. Or register here, for free.