Lab: Routing-based SSRF
This lab is vulnerable to routing-based SSRF via the Host header. You can exploit this to access an insecure intranet admin panel located on an internal IP address.
To solve the lab, access the internal admin panel located in the
192.168.0.0/24 range, then delete Carlos.
To prevent the Academy platform being used to attack third parties, our firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use Burp Collaborator's default public server (
GET /request that received a 200 response to Burp Repeater.
- From the Burp menu, open the Burp Collaborator client. In the dialog, click "Copy to clipboard" to copy your Burp Collaborator domain name. Leave the dialog open for now.
- In Burp Repeater, replace the Host header value with your Collaborator domain name and send the request.
- Go back to the Collaborator client dialog and click "Poll now". You should see a couple of network interactions in the table, including an HTTP request. This confirms that you are able to make the website's middleware issue requests to an arbitrary server. You can now close the Collaborator client.
GET /request to Burp Intruder. In Burp Intruder, go to the "Positions" tab and clear the default payload positions. Delete the value of the Host header and replace it with the following IP address, adding a payload position to the final octet:
On the "Payloads" tab, select the payload type "Numbers". Under "Payload Options", enter the following values:
- Click "Start attack". A warning will inform you that the Host header does not match the specified target host. As we've done this deliberately, you can ignore this message.
When the attack finishes, click the "Status" column to sort the results. Notice that a single request received a 302 response redirecting you to
/admin. Send this request to Burp Repeater.
In Burp Repeater, change the request line to
GET /adminand send the request. In the response, observe that you have successfully accessed the admin panel.
Study the form for deleting users. Notice that it will generate a
/admin/deletewith both a CSRF token and
usernameparameter. You need to manually craft an equivalent request to delete Carlos.
Change the path in your request to
/admin/delete. Copy the CSRF token from the displayed response and add it as a query parameter to your request. Also add a
carlos. The request line should now look like this but with a different CSRF token:
Copy the session cookie from the
Set-Cookieheader in the displayed response and add it to your request.
Right-click on your request and select "Change request method". Burp will convert it to a
- Send the request to delete Carlos and solve the lab.