How do I found Blind SSRF on a Hackerone Program

Intro: Hey guys! What’s Up. Today I will tell you how do I find a Blind SSRF on a VDP which is also known as CVE-2020–10770. So let’s jump into it.

This Vulnerability-Exploit is also present in Exploit-DB. This is present in Keycloak 12.0.1.

Recon :

While using subfinder I found a domain called portalcustodiacloak.domain.com. So in this Domain I found SSRF just following Exploit-db. The endpoint is

http://portalcustodiacloak.domain.com
/auth/realms/master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=<collaborator_url>

Attack :

So I just Intercept the Request in Burp Repeater and saw the Response.

Saying 400 Bad Request. So now in the URL Section I put the Burp Collaborator Payload.

Then I click Poll Now and I saw HTTP and DNS Interaction in my Burp Collaborator Client. In this way I understand this is Vulnerable to Blind SSRF.

So this way I found this Vulnerability and Report this via Hackerone. That’s it.

THANKS FOR READING!

If you like it don’t forget to Like it and Follow me for more Articles.

Happy Hacking~