# Lab: Basic SSRF against the local server

Here we have the main page

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2F3iGdAiquZ0dFasjQsp8R%2Fimage.png?alt=media&#x26;token=4e1256f6-0d83-481b-920d-aa0966098758" alt=""><figcaption></figcaption></figure>

Then go to a product and test the stock functionality in the bottom part of the page

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2FulXvJflmP2d5ZQwSvWxs%2Fimage.png?alt=media&#x26;token=360aa9d5-143a-4d3e-9cfe-d2fa9d3ec66a" alt=""><figcaption></figcaption></figure>

When the user check the stock, the request is as follows

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2Fapgqo4YtZshyrUFEnl5L%2Fimage.png?alt=media&#x26;token=e49ad4cd-70b8-4b8f-927f-3d797b127642" alt=""><figcaption></figcaption></figure>

Only you have to put the url it says in the exercise statement:

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2FCydCBXsrmLAbKhM8fe0e%2Fimage.png?alt=media&#x26;token=c941757a-cfd3-49f8-92d3-4d54a57e3d0e" alt=""><figcaption></figcaption></figure>

The response is the admin panel, as you can see, you can delete the user "carlos" as the exercise statement ask for.

<figure><img src="https://251574581-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlTgE7hbyi7mSyXsMcq44%2Fuploads%2FoFPYRWSTqJXxijq79n6n%2Fimage.png?alt=media&#x26;token=1c41acbb-eb22-45ea-9267-ef54f6d91100" alt=""><figcaption></figcaption></figure>