Blind SSRF with out-of-band detection

Lab Description

Step 1: Observing the Application

Upon accessing the lab, we're presented with a simple store page listing several products.

Accessing any product we intercept the request using Burp Suite, and we see this HTTP request

This shows the Referer header is being set automatically.

Step 2: Testing for Server-Side Interaction

Let’s test whether the application backend is actually using the Referer value in some way — for instance, calling or fetching it.

To do this:

Open Burp Collaborator and generate a unique payload (e.g., https://.burpcollaborator.net).
Modify the Referer header in the intercepted request to:

Step 3: Observing the Collaborator Interaction

Now, go to the Burp Collaborator tab.

You’ll observe that the application made both DNS and HTTP requests to your Burp Collaborator payload. This confirms that the backend has some analytics or tracking functionality that fetches the Referer URL server-side.

💡 This proves that the Referer header is being processed by the server and used to initiate an outbound request.

PreviousBasic SSRF against another back-end NextSSRF with blacklist-based input filter

Last updated 2 months ago

Was this helpful?