Lab: Blind SSRF with out-of-band detection
This site uses analytics software which fetches the URL specified in the Referer header when a product page is loaded.
To solve the lab, use this functionality to cause an HTTP request to the public Burp Collaborator server.
To prevent the Academy platform being used to attack third parties, our firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use Burp Collaborator's default public server (
- In Burp Suite Professional, go to the Burp menu and launch the Burp Collaborator client.
- Click "Copy to clipboard" to copy a unique Burp Collaborator payload to your clipboard. Leave the Burp Collaborator client window open.
- Visit a product, intercept the request in Burp Suite, and send it to Burp Repeater.
- Change the Referer header to use the generated Burp Collaborator domain in place of the original domain. Send the request.
- Go back to the Burp Collaborator client window, and click "Poll now". If you don't see any interactions listed, wait a few seconds and try again, since the server-side command is executed asynchronously.
- You should see some DNS and HTTP interactions that were initiated by the application as the result of your payload.