Blind SSRF

• Cannot see the back-end request
• Harder to exploit but can lead to full RCE

Finding the Hidden Attack Surface

• Partial URLs in Requests
• URLs within data formats
  • Example is the XML data format
  • If an application parses XML data it might be vulnerable to an XXE injection
• SSRF via the Referer Header
  • Can exploit server-side analytic software that tracks visitors
  • Analytic software will often visit any 3rd party URL that appears in the Referer header
  • Can exploit the application by editing the referer header for a malicious site or code