Lab 3: Webhook Tester

Difficulty: Medium

Lab Overview

This lab demonstrates an SSRF vulnerability in a webhook testing service. The application makes HTTP requests to user-supplied webhook URLs without proper validation, allowing access to internal services.

Objective: Use SSRF to access internal services, cloud metadata, or local files through webhook testing.

Vulnerable PHP Code

// Handle webhook test request
if (isset($_GET['webhook']) && !empty($_GET['webhook'])) {
    $webhook_url = $_GET['webhook'];
    
    // Vulnerable: No validation of webhook URL
    try {
        $context_options = [
            'http' => [
                'timeout' => 10,
                'user_agent' => 'WebhookTester/1.0',
                'follow_location' => true,
                'max_redirects' => 5
            ]
        ];
        
        if ($method === 'POST') {
            $context_options['http']['method'] = 'POST';
            $context_options['http']['header'] = 'Content-Type: application/json';
            $context_options['http']['content'] = $payload;
        }
        
        $context = stream_context_create($context_options);
        $response = file_get_contents($webhook_url, false, $context);
        
        if ($response !== false) {
            // Display response content
        }
    } catch (Exception $e) {
        // Error handling
    }
}

// Example vulnerable usage:
// ?webhook=https://example.com/webhook
// ?webhook=http://localhost:8080
// ?webhook=file:///etc/passwd

Webhook Tester Demo

Quick Test URLs:

Vulnerability Details

Type: Server-Side Request Forgery (SSRF)
Severity: High
Parameter: webhook
Method: GET
Issue: Webhook URL testing without validation

Test Payloads

Try these payloads in the webhook parameter:

http://localhost:8080 - Local service
http://127.0.0.1:3306 - Database port
file:///etc/passwd - Local file
http://169.254.169.254/ - Cloud metadata
http://localhost:22 - SSH port

Example URLs:

3.php?webhook=http://localhost:8080
3.php?webhook=file:///etc/passwd

Real-World Attack Scenarios

Access to internal services through webhook parameters
Cloud metadata and credentials exposure
Database access and data exfiltration
Local file system access
Port scanning and service enumeration
Bypassing firewalls and network restrictions
Webhook payload injection attacks

Mitigation Strategies

Validate and whitelist allowed webhook URLs
Block private IP ranges and localhost
Use URL parsing libraries to validate URLs
Implement proper error handling
Use outbound proxies with restrictions
Disable dangerous protocols (file://, gopher://)
Implement request timeouts and size limits
Validate webhook payloads