# Blind SSRF with out-of-band detection ## Lab Description

## Step 1: Observing the Application Upon accessing the lab, we're presented with a simple **store page** listing several products.

Accessing any product we intercept the request using **Burp Suite**, and we see this HTTP request This shows the `Referer` header is being set automatically.

## Step 2: Testing for Server-Side Interaction Let’s test whether the application backend is **actually using** the `Referer` value in some way — for instance, calling or fetching it. To do this: 1. Open **Burp Collaborator** and generate a unique payload (e.g., `https://.burpcollaborator.net`). 2. Modify the `Referer` header in the intercepted request to:

## Step 3: Observing the Collaborator Interaction Now, go to the **Burp Collaborator tab**. You’ll observe that the application made both **DNS** and **HTTP** requests to your Burp Collaborator payload. This confirms that the backend has some analytics or tracking functionality that fetches the `Referer` URL server-side. 💡 **This proves that the `Referer` header is being processed by the server and used to initiate an outbound request.** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kruknight.gitbook.io/daemon-of-hacking/writeups/portswigger-labs/server-side-request-forgery-ssrf/blind-ssrf-with-out-of-band-detection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.