Lab link.
Blacklist-based management can be used as a precaution against SSRF attacks. Some applications can block IP and keywords such as localhost, admin, or 127[.]0[.]0[.]0[.]1. This method can be bypassed.
We navigate the application and find where an HTTP request communicates with the API endpoint. This is the stock check section.
With the stockApi parameter, we make SSRF attempts and see that the SSRF attempts are blocked.
In this case, URL encoding, and case checks can use the 127.1 method or a domain name that will resolve to 127.0.0.1.
We gain access with hxxp[://]127[.]1/Admin. Here, precautions have been taken in the admin keyword, so we can bypass the precaution either by URL encoding or by enlarging the letter “A”
We delete the user carlos and the lab is solved.
Hello, I am Aleyna Doğan. I work as a Sr. Cyber Threat Intelligence Analyst. In my blog, we write blog posts that my friends and I want to share. Have a good read.