Lab 91 — PingRadar — SSRF Filter Bypass via Open Redirect Chain

hackadvisor

Task: PingRadar webhook platform has a Webhook Tester (SSRF vector) and an unauthenticated Click Tracking open redirect; SSRF blocklist blocks private IPs but not the app's own internal hostname. Solution: Chain the open redirect through the internal hostname to bypass SSRF filter — webhook tester fetches app.pingradar.local:8080/api/track which 302-redirects to localhost:3001 cloud metadata service, leaking IAM credentials containing the flag.

ssrf internal_service webhook open_redirect ssrf_filter_bypass redirect_chain cloud_metadata iam_credentials click_tracking hostname_bypass

ssrf_via_open_redirectredirect_chain_bypasscloud_metadata_accesshostname_allowlist_bypassunvalidated_redirect_destination

$ ls tags/ techniques/

ssrf internal_service webhook open_redirect ssrf_filter_bypass redirect_chain cloud_metadata iam_credentials click_tracking hostname_bypass

ssrf_via_open_redirectredirect_chain_bypasscloud_metadata_accesshostname_allowlist_bypassunvalidated_redirect_destination

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 47 — PingRadar — Blind SSRF via Webhook Test Delivery— hackadvisor
[web][Pro]Lab 340 — PingRelay — Blind SSRF via Webhook Test— hackadvisor
[web][Pro]PingForge— hackadvisor
[web][Pro]Lab 89 — PingRadar — SSRF via DNS Rebinding (TOCTOU)— hackadvisor
[web][Pro]Lab 6 — HookRelay — SSRF via IPv6-Mapped-IPv4 Bypass— hackadvisor