Blind SSRF with Burp Collaborator

Shivansh Malik
2 min readJun 4, 2021

--

Hello,

Blind SSRF is an attack which can lead to many bad effects, Its a high severity vulnerability, Sometimes rated as critical in some cases. So in this story ill tell how to reproduce SSRF with Burp Collaborator Client, So for instance we will be going to use discord, Not for being vulnerable but for renders. Lets get into it!

Burp Collaborator is a functionality in Burp Suite Professional, Which allows generation of payloads/Or we can call them subdomains of http://burpcollaborator.net/ , What these does is that they capture all Out-Of-Band or we can say the connection made by another site to the Burp Collaborator. So if you don’t know whats SSRF, Its mentioned in next paragraph.

Blind SSRF (Server Side Request Forgery) Is a vulnerability which occurs when a server makes Out-of-Band connections to another site without filtration or monitors. This becomes an opportunity for the site its connecting to, The attacker site can insert malicious content to the victim site, Thus sometimes leading to Remote Code Execution on main site. Lets have a look at a scenario which states how the vulnerability works. To open burp collaborator, Open burp suite pro > Click “Burp” on top left > Click “Burp Collaborator”, Its interface looks like this:

Burp Collaborator Client Interface

So, Now lets get on the attack. To make you beilive how this thing works, Here are the steps:

  1. Open discord and Burp Collaborator
  2. Adjust number of 1 to generate and copy to clipboard (In Burp Collaborator)
  3. Paste the payload/URL in ANY Discord chat, It just has to be sent
  4. Switch to Burp Collaborator Client, Click on “Poll Now”, You will see 2 Requests, DNS and HTTP

Lets see why its like that, Discord renders/embeds every URL you send to anyone, Thus it rendered the URL to get a little bit of the site’s interface and thus it made the connection. Thats how Blind SSRF works.

So that was a brief explanation about Blind SSRF attacks, Good luck!

--

--

Shivansh Malik
Shivansh Malik

No responses yet