Lab: Blind SSRF with out-of-band detection

PRACTITIONER

This site uses analytics software which fetches the URL specified in the Referer header when a product page is loaded.

To solve the lab, use this functionality to cause an HTTP request to the public Burp Collaborator server.

You must use the public Burp Collaborator server (burpcollaborator.net).

In Burp Suite Professional, go to the Burp menu and launch the Burp Collaborator client.
Click "Copy to clipboard" to copy a unique Burp Collaborator payload to your clipboard. Leave the Burp Collaborator client window open.
Visit a product, intercept the request in Burp Suite, and send it to Burp Repeater.
Change the Referer header to use the generated Burp Collaborator domain in place of the original domain. Send the request.
Go back to the Burp Collaborator client window, and click "Poll now". If you don't see any interactions listed, wait a few seconds and try again, since the server-side command is executed asynchronously.
You should see some DNS and HTTP interactions that were initiated by the application as the result of your payload.

Want to track your progress and have a more personalized learning experience? (It's free!)

SSRF Blind SSRF

SQL injection XSS CSRF Clickjacking CORS XXE SSRF Request smuggling Command injection Directory traversal Access control WebSockets