< Back





1. Basic SSRF against the local server

Server-side request forgery (SSRF) - we coerce the server into making a request on our behalf to
some endpoint. The endpoint will receive the request from the server, not us, therefore we can abuse
existing trust relationships between the server and the target endpoint.

In this case, the server uses a stock API to check to see if an item is in stock. How the server
makes this request is transparent to the user - a POST request is sent to the server with the API
frontend URL contained in the paramter "stockApi". The server proceeds to make a GET request to this
stock API.

We want to delete the user "carlos", but we don't have administrator access on the server. We can,
however, hit the /product/stock endpoint on this server, allowing us to coerce the server into
making a GET request to an arbitrary URL. We make a POST request to the /product/stock endpoint on
the server, passing the parameter "stockApi" with the value
"http://localhost/admin/delete?username=carlos". The server proceeds to initiate a GET request to
itself, allowing us to abuse the existing trust relationship and delete the user "carlos".


Solution