WebGoat SSRF 2 3

~ Dade Murphy

InfoSec Write-ups – Medium–

WebGoat SSRF 2

WebGoat SSRF lesson 2

After watching this mind-blowing talk about SSRF from Orange Tsai

https://medium.com/media/9d02af942d527d802d6ffec391efd2c0/href

let’s see what’s in this lesson

Tom, pretty straight forward

Press the button and we get Tom

The lesson explicitly tells us to change the URL to “jerry”

Hidden page input

Inspect the button with your browser dev tool, find the hidden input and change the URL from “tom” to “jerry”

And here’s Jerry

Press the button again and the lesson is completed

WebGoat SSRF 3

A brand new button!

Press the button

No go

To stick to the game plan we could check if there is something like the last lesson in here

Again, a hidden input field

Change the hidden text input to “http://ipconfig.pro" thus asking the server to request the page

Yep, ipconfig.pro

Press the button again and the lesson is completed

And remember to go check http://ipconfig.pro/ to check its functionalities

This concludes WebGoat SSRF 2 3

I hope you liked it.

PVXs — https://twitter.com/pivixih

WebGoat SSRF 2 3 was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

View original article on InfoSec Write-ups – Medium

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s