webPromedium

Lab 98 — SprintDeck — SSRF via Link Preview URL Filter Bypass

hackadvisor

Task: SprintDeck project management platform with link preview feature that fetches URLs server-side with an IP blocklist. Solution: Bypass URL validation using IPv6-mapped IPv4 address [::ffff:127.0.0.1] to reach internal analytics service on port 3001 and exfiltrate flag via HTML title tag extraction.

$ ls tags/ techniques/

ssrf nodejs nginx express internal_service decoy_flag metadata_extraction url_validation blocklist_bypass ipv6_mapped_ipv4 link_preview kanban project_management

ipv6_mapped_ipv4_bypassinternal_service_enumerationdecoy_flag_avoidancessrf_via_link_previewurl_blocklist_bypassmetadata_exfiltration_via_title_tag

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 6 — HookRelay — SSRF via IPv6-Mapped-IPv4 Bypass— hackadvisor
[web][Pro]Lab 92 — EventPulse — SSRF via IPv6 Bypass in Webhook Verification— hackadvisor
[web][Pro]PingForge— hackadvisor
[web][Pro]Lab 97 — UptimePulse — SSRF Chain to RCE via Cloud Metadata— hackadvisor
[web][Pro]Lab 91 — PingRadar — SSRF Filter Bypass via Open Redirect Chain— hackadvisor