I know SSRF can be exploited with the file:// protocol to read local files (something like path traversal) and also scan ports of hosts from the same network as the web server.
but how Blind SSRF can be exploited ?
Asked
Active
Viewed 3,215 times
6
Reda LM
- 367
- 3
- 11
-
Using it for conducting Denial of Service attack? – Shiv Sahni Apr 03 '18 at 15:44
1 Answers
6
What one can achieve with blind server-side request forgery depends heavily on the context of the vulnerability. Port scanning (XSPA) and hitting unauthenticated HTTP endpoints (e.g. /shutdown :P) are possibly the most obvious things you can achieve, however, from my personal experience as a bug bounty hunter, people will attempt to chain blind SSRF with other issues in order to escalate the severity and exploitability as seen in http://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF-to-RCE-with-Hashicorp-Consul.html.
EdOverflow
- 1,246
- 8
- 21