Blind SSRF with out-of-band detection

Introduction

This is our 5th article on Blind SSRF. In this lab, we will be solving the Blind SSRF with out-of-band detection lab. It is provided by PortSwigger Web Security for practice.

Table of Contents

Lab Description

Lab Solution

In this lab, There is an analytics software that fetches data through a specified URL in the Referer header whenever a product loads on the page. To solve the lab, we need to use this functionality to generate an HTTP request to the Burp Collaborator server.

First, we visit the lab. After accessing the lab, we click on ‘View details’ for any product.

Now, I will give you an easy way. You can automatically inject the Burp Collaborator payload into the Referer header of any page you visit. Go to the Proxy tab, then the Options sub-tab, and enter ‘^Referer.*$’ in the Match field. In the Replace field, enter ‘Referer:http://burp.collab.net‘.

Go to the Proxy tab, then the Options sub-tab, and enter ‘^Referer.*$’ in the Match field. In the Replace field, enter ‘Referer:http://burp.collab.net‘.

Now, go back to the lab and refresh the page. You can see in the screenshot. I captured in Burp Suite that my payload was automatically replaced in the Referer field.

My payload is injected into the Referer of the random product I am viewing.

When I view any random product.The page automatically executes my payload, and we solved the Blind SSRF with out-of-band detection lab. When you check your Burp Collaborator, you will see that it has generated DNS and HTTP requests.

To continue studying check out the next lab i.e. SSRF With Whitelist-Based Input Filter, cover the current lab before visiting the next lab. Good Luck!