Research: Server-Side Request Forgery (SSRF) Mechanics
Mechanism of Action
SSRF occurs when an application fetches a remote resource based on user-supplied URLs without validation. This trust relationship allows an attacker to coerce the server into making requests on their behalf.
Target Analysis: Stock API
The application uses a specific parameter to query an internal stock management API:
POST /product/stock HTTP/1.0
...
stockApi=http://stock.weliketoshop.net:8080/product/stock/check?productId=1Exploitation: Localhost Pivot
By modifying the stockApi parameter, we can direct the server to query its own loopback interface (127.0.0.1). This is critical because many administrative services listen only on localhost to avoid external exposure.
Payload:
stockApi=http://localhost/adminResult: The server responds with the Administrative Interface HTML, which is normally blocked from external IPs.
Escalation: Authorized Action
Once the internal interface is accessible, we can construct authorized requests by predicting URL structures.
Payload:
stockApi=http://localhost/admin/delete?username=carlosThe server executes the request with local privileges, deleting the target user. This demonstrates how SSRF bypasses network-level access controls (firewalls) by utilizing the trusted server as a proxy.