1. Web Security Academy
  2. SSRF
  3. Blind
  4. Lab

Lab: Blind SSRF with Shellshock exploitation


This site uses analytics software which fetches the URL specified in the Referer header when a product page is loaded.

To solve the lab, use this functionality to perform a blind SSRF attack against an internal server in the 192.168.0.X range. In the blind attack, use a Shellshock payload against the internal server to exfiltrate the name of the OS user via the public Burp Collaborator server.


You must use the public Burp Collaborator server (burpcollaborator.net).

Try Burp Suite for Free

Find SSRF vulnerabilities using Burp Suite

Try for free