Join us on May 15 for a live demo of how Burp Suite DAST solves real-world security challenges.            Register Now
Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: Blind SSRF with out-of-band detection

PRACTITIONER

This site uses analytics software which fetches the URL specified in the Referer header when a product page is loaded.

To solve the lab, use this functionality to cause an HTTP request to the public Burp Collaborator server.

Note

To prevent the Academy platform being used to attack third parties, our firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use Burp Collaborator's default public server.

ACCESS THE LAB

Solution

  1. Visit a product, intercept the request in Burp Suite, and send it to Burp Repeater.
  2. Go to the Repeater tab. Select the Referer header, right-click and select "Insert Collaborator Payload" to replace the original domain with a Burp Collaborator generated domain. Send the request.
  3. Go to the Collaborator tab, and click "Poll now". If you don't see any interactions listed, wait a few seconds and try again, since the server-side command is executed asynchronously.
  4. You should see some DNS and HTTP interactions that were initiated by the application as the result of your payload.

Community solutions

Rana Khalil
Michael Sommer (no audio)

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find SSRF vulnerabilities using Burp Suite

Try for free