Blind SSRF arises when an application can be induced to issue a backend HTTP request to a supplied URL, but the response from the backend request is not returned in the application's frontend response. In other words, the attacker cannot exactly see the result of their actions, i.e. "blind".
The impact of Blind SSRF is lower than that of their fully-informed counterpart because of their one-way nature. They cannot be easily exploited by the user to receive backend information.
- Google Chrome
- Python 3.6+
It is usually checked via sending a HTTP request from a vulnerable system to an external system that is controlled by the malicious attacker.
If a HTTP request is observed by an attacker, then it is vulnerable to SSRF.
- Clone the repo with
git clone https://github.com/CS4239-U6/blind-ssrf.git
. - Install requirements using
pip3 install -r requirements.txt
. - Run the vulnerable server using
python3 VulnerableServer/__main__.py
.
As this is a blind SSRF, the attacker does not know the result of the request. In order to view the results, follow the instructions below:
- Go to https://webhook.site/ to get a URL representing the webhook.
- Copy the link from the website. EG:
https://webhook.site/{some_uuid_here}
. - Paste it into fields in the server's
/
route. - Press Submit and watch the
https://webhook.site
. panel reflect a request from the server.
Even though we are unable to see the request firing from the server from our end, the SSRF still happens as observed from the https://webhook.site request.
flask
: Web framework.selenium
: For screenshot functionalities.