1. Web Security Academy
  2. SSRF
  3. Blind
  4. Lab

Lab: Blind SSRF with Shellshock exploitation


This site uses analytics software which fetches the URL specified in the Referer header when a product page is loaded.

To solve the lab, use this functionality to perform a blind SSRF attack against an internal server in the 192.168.0.X range. In the blind attack, use a Shellshock payload against the internal server to exfiltrate the name of the OS user via the public Burp Collaborator server.


You must use the public Burp Collaborator server (burpcollaborator.net).