portswigger-all-labs

Complete PortSwigger Web Security Academy Lab Writeups Detailed, categorized solutions for every lab — from APPRENTICE to EXPERT — covering all 30 vulnerability types.

View on GitHub

Labs Covered

This write-up focuses on the following APPRENTICE-level labs from the PortSwigger Web Security Academy related to Server-side request forgery (SSRF):

1 Basic SSRF against the local server

This lab demonstrates how attackers can exploit SSRF vulnerabilities to send requests to the local server and access internal resources.

2 Basic SSRF against another back-end system

This lab shows how SSRF can be used to interact with other back-end systems connected to the target server.

LAB 1 - Basic SSRF against the local server

Lab Description

image

Solution

I began by accessing the lab and navigating to any product page.

image

Using Burp Suite, I intercepted the request triggered by the “Check Stock” button.
It was sending a request to the internal stockApi endpoint to check stock availability.

image

I replaced the stock URL with:


http://localhost/admin

This tested whether the internal admin interface was accessible.

image

We get a 200 ok response & the admin page of the backend server hosted at localhost.

image

Now delete the user carlos to solve the lab.

If we click the link to delete the user carlos , we won’t be able to perform the action. The application throws an error - ` Admin interface only available if logged in as an administrator, or if requested from loopback `

So in the captured request we provide the uri to delete the user carlos

I appended the above endpoint to the body of the stock API request:

POST /product/stock HTTP/1.1
Host: target-site.com
...

stockApi=http://localhost/admin/delete?username=carlos

Sending this request triggered a server-side request to the admin interface, deleting the user carlos.

image

Thus we’ve solved the lab.

image

LAB 2 - Basic SSRF against another back-end system

Lab Description

image

Solution

Steps to Solve

1. Intercepted the Stock Check Request

I accessed the lab and intercepted the stock check feature using Burp Suite.
The request included a stockApi parameter which the server used to fetch internal product stock information.

image

2. Initiated an Internal IP Scan with Intruder

To find the internal admin panel, I configured Burp Intruder to brute-force the final octet (X) in the IP range 192.168.0.X.
The payload positions were set on: ```

  http://192.168.0.\[1-255\]:8080/admin

```

image

We got a 200 ok response for 23. So the ip of backend server is 192.168.0.23.

image

3. Identified the Admin Interface

After scanning, I found that the admin interface was located at:


   [http://192.168.0.23:8080/admin

Visiting this endpoint through the stockApi parameter returned a 200 OK response, along with a /delete?username=carlos endpoint in the body.

image

4. Deleted the User via SSRF

I appended the delete endpoint in the `stockApi` parameter:


   http://192.168.0.23:8080/admin/delete?username=carlos

and sent the request.

image

5. Lab Solved

The server processed the internal request and deleted the user carlos, successfully completing the lab.

image