Lab: Blind SSRF with out-of-band detection
This site uses analytics software which fetches the URL specified in the Referer header when a product page is loaded.
To solve the lab, use this functionality to cause an HTTP request to the public Burp Collaborator server.
You must use the public Burp Collaborator server (
- In Burp Suite Professional, go to the Burp menu and launch the Burp Collaborator client.
- Click "Copy to clipboard" to copy a unique Burp Collaborator payload to your clipboard. Leave the Burp Collaborator client window open.
- Visit a product, intercept the request in Burp Suite, and send it to Burp Repeater.
- Change the Referer header to use the generated Burp Collaborator domain in place of the original domain. Send the request.
- Go back to the Burp Collaborator client window, and click "Poll now". If you don't see any interactions listed, wait a few seconds and try again, since the server-side command is executed asynchronously.
- You should see some DNS and HTTP interactions that were initiated by the application as the result of your payload.