Server Side Request Forgery 04

This exercise is one of our challenges on Server-Side Request Forgery

PRO
Tier
Easy
< 1 Hr.
9063

In this example, the developer attempts to block everything that doesn't match "assets.pentesterlab.com" using a regular expression. However, the regular expression is weak because the dots are not escaped, and it lacks boundary anchors at the start and end of the string. This allows attackers to manipulate the URL and bypass the security check.

We explore this by examining the code in detail, identifying the vulnerabilities, and demonstrating how an attacker can exploit them. For instance, by registering a domain like "assetsapentesterlab.com" or "prefix.assets.pentesterlab.com", attackers can trick the application into fetching data from malicious URLs. Additionally, using $_GET['url'] directly instead of a validated variable introduces another layer of risk, as it bypasses any security checks that might have been applied to the validated variable.

Want to learn more? Get started with PentesterLab Pro! GOPRO