# How to exploit a basic SSRF vulnerability?

The challenge in this writeup is from Portswigger's web security academy lab. You can access it [here ](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost) for **Free**.
## The challenge


![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1641709390900/enw5i9fT5O.png)
We need to access the admin panel and delete the user called `Carlos`. We can only access the admin panel from the internal network.

## The details we have
They have given us the details about the SSRF vulnerable endpoint. `Stock check` is the feature where SSRF vulnerability is present. Also, the admin interface URL is given. 

## Exploring the app
The landing page of the lab. 

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1641704070573/sqSQDoLRy.png)

On viewing any of the product details we could see an option to check stock.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1641704165581/1GVQRN4YI.png)


The below request is being sent to the server whenever we check the stock.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1641704272328/cwb0X3erG.png)

### The first door to the solution
Let's change the stock URL with the URL given on the challenge home page.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1641704449040/JPRfbldiF.png)

When we send the above request, we get the admin interface in the place of stock details.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1641704583362/MFhK4-gtZ.png)


### The Final task
The primary task we have to complete is to delete the user named `Carlos`.

There is a delete button near the username `Carlos`. If we click the button, a `GET` request is sent to the server from  ***our browser***. 

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1641707968487/DYCRAoO5j.png)

However, the response is permission denied. What went wrong???
![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1641708022260/yRi3EenqA.png)

The server will only accept all admin-requests only if it is coming from the internal network. Otherwise, it will reject the request.

So, just as we accessed the admin panel earlier, we should send the user-deletion request.

#### What can we do to delete the user `Carlos`? 

Let's exploit the SSRF vulnerability present in the stock check feature, and send the user deletion request via exploiting the SSRF, which will hopefully delete the user `Carlos`.


![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1641708675029/UGZ2-uXpf.png)

### Revisits the `admin` page
Now if we go again to the `admin` page through the `stock check` endpoint, we could see only one user there. The user `Carlos` has successfully deleted.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1641708845420/pCwznOQF2.png)

We solved an easy lab ** Basic SSRF against the local server ** from Portswigger's Web security Academy.

![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1641708962792/IReFpNWpS.png)


## References

- [Lab: Basic SSRF against the local server](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost)
- [Learn more about SSRF vulnerability](https://portswigger.net/web-security/ssrf)