SSRF by encoding

Hey Everyone, I'm Pratik Pohankar a security researcher and recently, while assessing a bug bounty target, I identified a Blind SSRF vulnerability that demonstrated server-side interaction with an external domain under my control. Although the application did not return the response directly, out-of-band interactions confirmed the vulnerability.

This article walks through the discovery process, validation methodology, and lessons learned during the investigation.

The Initial Observation:I noticed a request containing a parameter with a long encoded value.Instead of treating it as random application data, I began asking a few questions:

• Why is this value encoded?
• Is it decoded server-side?
• Does it contain a URL?
• Is the application performing any action based on the decoded content?

Many security findings start with simple curiosity.After decoding the value, I noticed that it appeared to contain a URL that was later processed by the application.That immediately caught my attention.

Following the Clues

To better understand the application's behavior, I began observing how the server handled modified versions of the encoded value.The responses provided very little feedback.There were no visible errors.No reflected content.No indication that a request had been made.At first, it appeared to be a dead end.But many SSRF vulnerabilities are "blind," meaning the application gives no direct evidence that a server-side request occurred.

Discovering the Blind SSRF

Because the application provided no visible output, I shifted my attention toward out-of-band validation techniques.Shortly afterward, I observed interactions that indicated the backend server had processed the supplied URL.The application itself never displayed the result.Instead, the evidence came from observing network interactions generated by the server.At that moment, the issue transitioned from a theory to a confirmed Blind SSRF vulnerability.

Applications often encode values to:

• Preserve special characters
• Pass URLs between services
• Hide implementation details
• Prevent malformed requests

However, encoding should never be treated as a security control.If an application decodes user-controlled input and then performs sensitive actions without proper validation, security issues can emerge.In this case, the encoded value masked behavior that was not immediately obvious during initial testing.

Small Clues Matter

The parameter initially looked harmless.The SSRF was not discovered through automated scanning.It was discovered by following a small clue and asking additional questions about how the application worked.

In reality, many findings begin with something much simpler:A strange parameter.An encoded value.An unexpected request.A moment of curiosity.