webPromedium

Lab 47 — PingRadar — Blind SSRF via Webhook Test Delivery

hackadvisor

Task: PingRadar webhook test delivery makes server-side HTTP requests to arbitrary URLs with no SSRF protection; delivery logs expose response headers but not body (blind SSRF). Solution: port-scan localhost to find internal monitoring-aggregator on port 3001, leak x-internal-token from /health response headers via delivery log API, inject Bearer token via webhook custom headers to access /admin/export, which writes report containing flag to shared filesystem rendered on the delivery logs page.

$ ls tags/ techniques/

ssrf nodejs side_channel nginx express internal_service honeypot webhook prompt_injection decoy_flag custom_headers token_leak blind_ssrf response_header_leak export_report

response_header_exfiltrationinternal_service_enumerationinternal_port_scanningssrf_via_webhook_testinternal_token_leakbearer_token_injection_via_custom_headersside_channel_data_exfiltrationexport_report_file_write

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 91 — PingRadar — SSRF Filter Bypass via Open Redirect Chain— hackadvisor
[web][Pro]Lab 340 — PingRelay — Blind SSRF via Webhook Test— hackadvisor
[web][Pro]Lab 89 — PingRadar — SSRF via DNS Rebinding (TOCTOU)— hackadvisor
[web][Pro]PingForge— hackadvisor
[web][Pro]Lab 6 — HookRelay — SSRF via IPv6-Mapped-IPv4 Bypass— hackadvisor