The backend of an application i.e the server, if its doing any kind of processing. And we make that server make requests to some unintended location that its not supposed to.
typically, we can make it make requests to its internal services eg: cd /etc/passwd or make it do requests to connect to some arbitrary external systems.
blind ssrf → request made to backend and is processed by server but no response not visible in frontends’ response.
The most reliable way to detect this vuln, is using using out-of-band (OAST) techniques. i.e send a request to an external system that you control, and monitor for network interactions with that system.
Use Burp Collaborator.
on that burp collaborator payload → often a DNS lookup, but no HTTP request is made. Because the application's HTTP request - which caused the initial DNS lookup - is blocked by network filters. Common for infrastructure to permit outbound DNS traffic, necessary for various purposes, but restrict HTTP connections to unexpected destinations.
Simply finding Blind SSRF wont mean anything if cannot be exploited. Since the response is not visible in a typical manner, we can probe for other vulns on the server. Sweep the internal IP address space.