Daemon Of Hacking
  • WELCOME!
    • 👋/home/usr/KruKnight
  • METHODOLOGIES & RESOURCES
    • Passwords & Attacks
    • Post Exploitation
      • 👀Situational Awareness
      • 🖥️Privilege Escalation
        • Linux Privilege Escalation
        • Windows Privilege Escalation
  • Writeups
    • CyCtf 2024
      • Vending Machine
      • Aerospace
      • OhMyCell
    • Portswigger Labs
      • Authentication
        • Username enumeration via different responses
        • 2FA simple bypass
        • Password reset broken logic
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken Brute-Force Protection, IP Block
        • Username enumeration via account lock
        • 2FA broken logic
        • Brute-forcing a stay-logged-in cookie
        • Offline password cracking
        • Password reset poisoning via middleware
        • Password brute-force via password change
        • Broken brute-force protection, multiple credentials per request
      • Os Command Injection
        • OS command injection, simple case
        • Blind OS command injection with time delays
        • Blind OS command injection with output redirection
        • Blind OS command injection with out-of-band interaction
        • Blind OS command injection with out-of-band data exfiltration
      • Cross-Origin Resource Sharing (CORS)
        • CORS vulnerability with basic origin reflection
        • CORS vulnerability with trusted null origin
        • CORS vulnerability with trusted insecure protocols
      • Server-side template injection
        • Basic server-side template injection
        • Basic server-side template injection (code context)
      • Server-Side Request Forgery (SSRF)
        • Basic SSRF against the local server
        • Basic SSRF against another back-end
        • Blind SSRF with out-of-band detection
        • SSRF with blacklist-based input filter
        • SSRF with filter bypass via open redirection vulnerability
      • Path Traversal
  • 🟩HTB Writeups
    • Heal
Powered by GitBook
On this page
  • Lab Description
  • Step 1: Observing the Application
  • Step 2: Testing for Server-Side Interaction
  • Step 3: Observing the Collaborator Interaction

Was this helpful?

  1. Writeups
  2. Portswigger Labs
  3. Server-Side Request Forgery (SSRF)

Blind SSRF with out-of-band detection

PreviousBasic SSRF against another back-endNextSSRF with blacklist-based input filter

Last updated 19 days ago

Was this helpful?

Lab Description

Step 1: Observing the Application

Upon accessing the lab, we're presented with a simple store page listing several products.

Accessing any product we intercept the request using Burp Suite, and we see this HTTP request

This shows the Referer header is being set automatically.

Step 2: Testing for Server-Side Interaction

Let’s test whether the application backend is actually using the Referer value in some way — for instance, calling or fetching it.

To do this:

  1. Open Burp Collaborator and generate a unique payload (e.g., https://.burpcollaborator.net).

  2. Modify the Referer header in the intercepted request to:

Step 3: Observing the Collaborator Interaction

Now, go to the Burp Collaborator tab.

You’ll observe that the application made both DNS and HTTP requests to your Burp Collaborator payload. This confirms that the backend has some analytics or tracking functionality that fetches the Referer URL server-side.

💡 This proves that the Referer header is being processed by the server and used to initiate an outbound request.