[This lab](https://portswigger.net/web-security/ssrf/blind/lab-out-of-band-detection) showcases a **Blind Server-Side Request Forgery (SSRF)** vulnerability where there is **no direct response** from the server when the SSRF is triggered. Instead, we rely on **out-of-band (OAST)** detection using **Burp Collaborator** to confirm the vulnerability. #### 1. Intercept a Product Request - Visited any **product page**. - **Intercepted** the request using Burp Proxy. - Sent the request to **Repeater** for easy editing. Example request: ```http GET /product?productId=1 HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Referer: https://YOUR-LAB-ID.web-security-academy.net/ ... ``` --- #### 2. Modify the Referer Header - In Repeater, **highlighted the domain** part of the `Referer` header. - Right-clicked → **Insert Collaborator Payload**. ![[CleanShot 2025-04-27 at 21.00.24.png]] Updated request looked like: ```http GET /product?productId=1 HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Referer: https://abc123xyz.burpcollaborator.net/ ... ``` - **Sent** the request. ![[CleanShot 2025-04-27 at 21.10.01.png]] --- #### 3. Poll for Out-of-Band Interaction - Switched to the **Burp Collaborator client** tab. - Clicked **Poll now**. ✅ Saw **DNS and HTTP interactions** triggered by the server accessing the Burp Collaborator payload! **Lab solved!** ![[CleanShot 2025-04-27 at 21.11.12.png]] --- ## ✍️ Why This Works (Technical Breakdown) |Component|Description| |---|---| |**Vulnerability**|Blind Server-Side Request Forgery (SSRF)| |**Root Cause**|Server processes untrusted `Referer` header input and initiates backend requests without sanitization| |**Impact**|Out-of-band interactions (DNS, HTTP requests), potential internal network access, RCE in some cases| |**Defense**|Validate headers, whitelist trusted domains, avoid server-side fetching based on user-controlled input| --- > ⚡ Pro Tip: In real-world apps, blind SSRF often shows up via PDF generators, analytics software, webhook handlers, image processors — **anything server-side that "fetches" or "crawls" URLs**.