Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

suspecting a small mistake in SSRF topic

Mouaz | Last updated: Dec 02, 2023 04:15PM UTC

To whom it may concern, while learning and completing SSRF academy labs, I came across the topic "SSRF with whitelist-based input filters" under "Circumventing common SSRF defenses", and I believe there might be a small mistake in the first method: "embed credentials in a URL before the hostname, using the @ character" the payload as in the example goes as follows: https://expected-host:fakepassword@evil-host but to my knowledge, embedding should be such as: http://username:password@URL and Hence, I believe the example has a small mistake and should rather be like this: https://evil-host:fakepassword@expected-host Moreover, solving its corresponding lab below shows that the payload confirms the issue: http://localhost:80%2523@stock.weliketoshop.net/admin/delete?username=carlos Could you please confirm whether it's indeed a mistake in the example or if maybe I understood the example wrong? Thanks in advance :)

Michelle, PortSwigger Agent | Last updated: Dec 04, 2023 11:24AM UTC

The expert-level labs are designed to be more challenging, so sometimes you may need to use the examples provided in the learning materials as a base and then expand them further, so there might not always be an exact match. I hope this helps to explain why there are differences in the learning resources and the solution provided with the lab.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.