< Back





2. Basic SSRF against another back-end system

Server-side request forgery (SSRF) - we coerce the server into making a request on our behalf to
some endpoint. The endpoint will receive the request from the server, not us, therefore we can abuse
existing trust relationships between the server and the target endpoint.

In this case, the server uses a stock API to check to see if an item is in stock. How the server
makes this request is transparent to the user - a POST request is sent to the server with the API
frontend URL contained in the paramter "stockApi". The server proceeds to make a GET request to this
stock API.

We know that the admin endpoint is located at a different backend server inside the private network
where the website resides - 192.168.0.x. To delete the user "carlos", we have to brute-force the
location of the backend server, using SSRF to make requests to different IP addresses and inspecting
the response to determine when we find the correct backend endpoint.

Once we find the backend endpoint, we make our request to the /product/stock endpoint on the server,
with the stockApi parameter set to "http://192.168.0.x/admin/delete?username=carlos". The website
server proceeds to initiate a GET request to the backend server, allowing us to abuse the existing
trust relationship and delete the user "carlos".


Solution