Blind SSRF
- Cannot see the back-end request
- Harder to exploit but can lead to full RCE
Finding the Hidden Attack Surface
- Partial URLs in Requests
- URLs within data formats
- Example is the XML data format
- If an application parses XML data it might be vulnerable to an XXE injection
- SSRF via the Referer Header
- Can exploit server-side analytic software that tracks visitors
- Analytic software will often visit any 3rd party URL that appears in the Referer header
- Can exploit the application by editing the referer header for a malicious site or code