[This lab](https://portswigger.net/web-security/ssrf/blind/lab-out-of-band-detection) showcases a **Blind Server-Side Request Forgery (SSRF)** vulnerability where there is **no direct response** from the server when the SSRF is triggered.
Instead, we rely on **out-of-band (OAST)** detection using **Burp Collaborator** to confirm the vulnerability.
#### 1. Intercept a Product Request
- Visited any **product page**.
- **Intercepted** the request using Burp Proxy.
- Sent the request to **Repeater** for easy editing.
Example request:
```http
GET /product?productId=1 HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Referer: https://YOUR-LAB-ID.web-security-academy.net/
...
```
---
#### 2. Modify the Referer Header
- In Repeater, **highlighted the domain** part of the `Referer` header.
- Right-clicked → **Insert Collaborator Payload**.
![[CleanShot 2025-04-27 at 21.00.24.png]]
Updated request looked like:
```http
GET /product?productId=1 HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Referer: https://abc123xyz.burpcollaborator.net/
...
```
- **Sent** the request.
![[CleanShot 2025-04-27 at 21.10.01.png]]
---
#### 3. Poll for Out-of-Band Interaction
- Switched to the **Burp Collaborator client** tab.
- Clicked **Poll now**.
✅ Saw **DNS and HTTP interactions** triggered by the server accessing the Burp Collaborator payload!
**Lab solved!**
![[CleanShot 2025-04-27 at 21.11.12.png]]
---
## ✍️ Why This Works (Technical Breakdown)
|Component|Description|
|---|---|
|**Vulnerability**|Blind Server-Side Request Forgery (SSRF)|
|**Root Cause**|Server processes untrusted `Referer` header input and initiates backend requests without sanitization|
|**Impact**|Out-of-band interactions (DNS, HTTP requests), potential internal network access, RCE in some cases|
|**Defense**|Validate headers, whitelist trusted domains, avoid server-side fetching based on user-controlled input|
---
> ⚡ Pro Tip: In real-world apps, blind SSRF often shows up via PDF generators, analytics software, webhook handlers, image processors — **anything server-side that "fetches" or "crawls" URLs**.