webPromedium

Lab 347 — PushRelay — SSRF via URL Parsing Confusion in Webhook Tester

hackadvisor

Task: PushRelay webhook platform validates URLs against SSRF blocklist using WHATWG URL parser, but misses IPv6-mapped IPv4 addresses. Solution: Bypass blocklist with http://[::ffff:127.0.0.1]:3001/ to reach internal config service and retrieve the flag.

$ ls tags/ techniques/

ssrf nodejs localhost_bypass express webhook blocklist_bypass ipv6_mapped_ipv4 url_parsing_confusion axios whatwg_url

ssrf_localhost_bypassurl_validation_bypassinternal_service_accessipv4_mapped_ipv6_bypass

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 6 — HookRelay — SSRF via IPv6-Mapped-IPv4 Bypass— hackadvisor
[web][Pro]Lab 92 — EventPulse — SSRF via IPv6 Bypass in Webhook Verification— hackadvisor
[web][Pro]PingForge— hackadvisor
[web][Pro]Lab 340 — PingRelay — Blind SSRF via Webhook Test— hackadvisor
[web][Pro]Lab 91 — PingRadar — SSRF Filter Bypass via Open Redirect Chain— hackadvisor