Blind SSRF - The Hide & Seek Game

  1. Start your BurpSuite
  2. Go to extender and click on BApp Store
  3. Find the extension
BApp Store
  1. I went to my target website and it was using an API for interaction with the server, so I thought of using the extension Collaborator Everywhere
  2. I started BurpSuite, went to Extender and clicked on Extensions. Then I selected the installed extension (Collaborator Everywhere).
Collaborator Everywhere
Manual Proxy
Add to scope
Select Yes
Options To Visit
Collaborator Pingback HTTP
Collaborator Pingback HTTP
Collaborator Pingback DNS
Burp Collaborator Client
Copying Payload
Burp Collaborator client payload
HTTP Response
DNS Lookup
  1. When testing for Blind SSRF it is common that you’ll find a DNS lookup for the given Burp Collaborator domain, but no HTTP request. This happens because the application attempted to make HTTP request to domain, which caused initial DNS lookup but the actual HTTP request was blocked by the network-level filtering.
  2. If you find only the DNS lookup or DNS query then it is not a vulnerability, it is mandatory to have the HTTP response which will make it a valid vulnerability
DNS Query - P5

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jerry Shah (Jerry)

Jerry Shah (Jerry)

3.1K Followers

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|