SSRF via flawed request parsing

Exploitation

Send the GET / request that received a 200 response to Burp Repeater.

open burp collaborator and copy the collaborator payload

now let's see if the server makes requests to an arbitrary server

Observe that the website validates the Host header and blocks any requests in which it has been modified.

Supplying absolute URL :

according to portswigger =>

Although the request line typically specifies a relative path on the requested domain, many servers are also configured to understand requests for absolute URLs.

The ambiguity caused by supplying both an absolute URL and a Host header can also lead to discrepancies between different systems. Officially, the request line should be given precedence when routing the request but, in practice, this isn't always the case. You can potentially exploit these discrepancies in much the same way as duplicate Host headers.

GET https://vulnerable-website.com/ HTTP/1.1

Host: bad-stuff-here

• xhihu3s65epievf5qfgkoqysajgd43ss.oastify.com : burp collaborator server

if you are using burp suite version 2022 and later it defaults to http/2 protocol to send http requests and this protocol doesn't support supplying absolute urls in Http verbs so to overcome this problem we have to downgrade temporarily to http/1.1

step1 -> go to settings

step2 -> go to HTTP

step3 -> deselect the Default to HTTP/2 if the server supports it option

go to collaborator and click "poll now" and we made the application server issue request to an arbitrary server

To solve the lab, access the internal admin panel located in the 192.168.0.0/24 range, then delete the user carlos.

so let's make a request and making the host header walk through all the ip addresses in this range until we access the admin panel

send this request to intruder

click on start attack and then click on ignore

now click on the length to show the diffrent response which will be the ip address that accessed the admin panel

so the admin panel exists at 192.168.0.165

on the response click on show response on browser copy the link and paste it in the browser

type carlos and before clicking on delete user button intercept this request using burp

we can find it in http history let's send the request to repeater

and we have solved the lab

hope you found this walkthrough easy to understand and follow

Greeting From Sayonara