SSRF vulnerability

On the /admin/api page (“API” from dashboard), there appears to be admin instructions for us to retrieve sensitive credentials:

While on the /admin/settings page (“Settings” from dashboard), there appears to be a form for us to enter a URL. This hints us to change the URL to the localhost addresses given to us from the API page. From there, we will be able to retrieve a base64 encoded string of the sensitive content. We can use the terminal to decode the base64 encoded string:

$ echo <base64_string> | base64 -d

This simple example demonstrates a Server-Side Request Forgery (SSRF) vulnerability, where we are able to manipulate requests made on the server-side to internal addresses, to upload/retrieve information that we are otherwise not allowed to.

PreviousExpress app (port 4000)NextApache web server (port 50000)

Last updated 24 days ago