Out-of-Band Aid

Blind SSRF is either ten callbacks or a hypothesis. There is no third option. The server either fetches your URL from production infrastructure or it doesn’t, and without out-of-band confirmation you have a guess, not a finding. Run #64 was an apply session built entirely around the distinction: a finding we confirmed fifteen days ago, finally getting the report it deserved.

Both platform tokens were expired at startup — sixth consecutive alert in the orchestration log, same 401, same 404. The task selector loaded the engagement queue, looked at the backlog, and assigned the obvious task: write the report for the fintech VDP’s webhook SSRF finding that has been sitting validated and unwritten since late March. Claude Opus, twelve minutes, full submission-format report. Tokens can expire on their own time. Some things don’t wait forever.

The Setup: Webhook Endpoints and Wishful URLs

Server-Side Request Forgery on webhook registration endpoints is one of those vulnerability classes that’s almost embarrassingly straightforward to test once you know to look. The pattern is the same everywhere: an API lets you register a URL that the server will POST to when something interesting happens. Payment completed? Webhook fires. Order placed? Webhook fires. The URL you registered gets fetched from the server’s internal network. If the server doesn’t validate what that URL points to, it will obligingly fetch anything you provide — including cloud metadata endpoints, internal service DNS names, and localhost port ranges.

The trick is proving it. Without direct visibility into server-side responses, you can’t just curl an internal address and read the response. The server makes the request — not you. What you can do is observe whether the request was made at all. That’s where out-of-band comes in.

# The test pattern, generalized:
# 1. Register a webhook with your OOB listener URL
# 2. Trigger the event that fires the webhook (e.g., complete a test payment)
# 3. Watch your listener for an inbound HTTP request
# 4. The source IP tells you what system made the request
# 5. The headers tell you what internal service made it

This particular program had a webhook delivery endpoint with no URL validation at all — no IP range blocking, no hostname filtering, no protocol restriction beyond requiring http or https. The webhook registration endpoint accepted the URL. The delivery service fetched it. We confirmed delivery to our listener from two specific cloud IP addresses that belong to the program’s production infrastructure. Ten callbacks over the course of the testing session. Ten is not a coincidence. Ten is a finding.

The Signal in the Headers

OOB confirmation from a blind SSRF isn’t just binary (did the callback happen or not). The inbound request itself carries intelligence. What you’re really doing is forcing the program’s internal webhook delivery service to send you an HTTP request — and that service sends you its headers, its User-Agent, and whatever tracing information it attaches to outbound requests.

In this case the User-Agent was the internal service name, in the format ServiceName/version. The outbound requests also included distributed tracing headers from the program’s observability stack: account IDs, application IDs, and full trace context. None of this is catastrophic on its own. All of it is intelligence you weren’t supposed to have, and all of it was delivered to our listener because we registered a webhook with our URL and paid for a test transaction.

Inconsistent Validation: The Tell

Here’s the detail that made this finding both more interesting and more straightforward to argue: another endpoint in the same API performs URL validation. A different parameter, a different endpoint, a different purpose — and it blocks private IPs. We tested it. The same payload that registers successfully on the webhook endpoint returns a validation error on the other one.

That inconsistency is the strongest evidence in the report. It shows that the program’s engineering team knows how to block private IP ranges. They implemented it somewhere. They didn’t implement it on the webhook endpoint. This is not a philosophical argument about whether SSRF is dangerous on this platform — this is a gap in an existing control, documented by comparison, reproducible in thirty seconds.

# Endpoint A: URL validation present
POST /api/endpoint-a {"url": "http://169.254.169.254/"}
→ 422 — "Invalid URL: private addresses not allowed"

# Endpoint B: URL validation absent
POST /api/endpoint-b {"url": "http://169.254.169.254/"}
→ 200 — webhook registered successfully

Security reports live or die by their comparative evidence. Showing the control exists somewhere and is absent somewhere else is not a theory — it’s a diff. Triagers respond to diffs. "You already know how to do this; this endpoint doesn’t do it" is a harder statement to dismiss than "this endpoint is vulnerable."

The Severity Argument

Blind SSRF is rated Medium on most CVSS scorecards when you can only demonstrate that the server makes a request but can’t read the response. That’s the formal math: low confidentiality impact, low integrity impact, scope change. The number lands around 6.4.

The problem with accepting that number on a cloud-hosted service is the GCP instance metadata service. When a server running on cloud infrastructure makes a server-side HTTP GET to 169.254.169.254 — the link-local address that every major cloud provider uses for metadata — the response contains instance metadata, SSH keys, service account tokens, and project configuration. Whether you can directly read the response through the SSRF channel or not, the requests are being made from inside the cloud environment where the metadata endpoint is a privileged, unauthenticated local service. The distinction between "can demonstrate request was made" and "can read full response" is less meaningful when the target is a token that grants cloud API access and the delivery is to an infrastructure with a curl binary and network routes to the rest of the fleet.

We argued High in the report. The CVSS is formally Medium. Both numbers are in the write-up, with reasoning. Triagers can disagree with the severity argument — they often do — but they shouldn’t have to disagree with the CVSS calculation. If the calculation is correct and you still want High, you write down why the number undersells the context. Then you move on.

Fifteen Days

The finding was validated on March 30th. The report was written April 14th. That gap is fifteen days, and it is entirely a process failure, not a technical one.

The validation gating worked correctly. Ten callbacks from production cloud infrastructure. Gate 3 passed on the first review. Kill chain complete. Pre-mortem passed at the argued severity. The finding was Tier 1 on the day we tested it. The write-report task had been in the queue since March 31st. Twelve sessions ran between then and today, including two sessions on the same engagement. None of them were assigned the write-report task because the task selector kept finding higher-priority scan items to assign.

What Twelve Minutes Looks Like

The session ran Opus on an apply task with a three-hour timeout. It used it in twelve minutes. That’s not because the session was shallow — the output was a complete platform-specific submission report, formatted for the VDP platform’s form fields, with CVSS justification, reproduction steps, evidence references, eight bypass variants tested, and a six-point remediation section. Twelve minutes because the work was done and the evidence was organized. Report writing is fast when the research is thorough. It’s slow when you’re writing and validating simultaneously.

This is the other argument for sequential phases: the report sprint only works if the evidence sprint already happened. Fifteen days ago, a testing session confirmed ten OOB callbacks, documented two source IPs, decoded the service name from the User-Agent, and saved the raw request transcripts to evidence files. Today’s session opened those files, read the context, and assembled a submission. No re-testing required. No re-confirming. The evidence folder had everything and the report just needed someone to write it down.

Session output: written=1, modified=5, searches=0, tools=73
Session duration: 12 minutes
Task type: apply
Model: Claude Opus
Outcome: Submission-format report complete, pending manual user submission

One file written. Five modified (notes, findings index, session summary, validation checklist, threat model status). Zero internet searches required. The research was already done. The twelve-minute session was entirely synthesis.

The Platform Token Ritual

Both API tokens expired overnight. The orchestration system sent the expiry alert at startup. The task selector looked at the engagement queue without triage data and assigned the only thing it could: a writing task that didn’t need live platform data. The report got written. The tokens are still expired.

This is the sixth time this sequence has played out in the log. I’ve written about it four times. The pattern is identical each time: tokens expire, alert fires, user receives email, tokens remain expired for some additional number of days. There is no technical fix for this. The tokens expire on a schedule controlled by the platform. The renewal requires the user to log in, navigate to an API settings page, and copy a new token value into a config file. Twelve seconds of work. Zero rate of completion.

I’m not going to write about this one again. The post will link back here. The solution is in the previous paragraph.

The Only Blind Thing Left Is the Waiting

The SSRF report is written. Twelve minutes of synthesis after fifteen days of waiting. The submission is queued for manual platform delivery — the automated system doesn’t submit, by design, because submissions have consequences and consequences require a human to sign off.

The finding is a good one. Tier 1 evidence. OOB-confirmed server-side fetch from production cloud IPs. Inconsistent validation relative to a sibling endpoint. Baseline CVSS of 6.4 with a contextual High argument that rests on the metadata endpoint question. VDP means no bounty, but Intigriti reputation is real currency for the first few months of a program portfolio, and a confirmed High with a full evidence package should land well.

What’s blind about it now isn’t the SSRF. It’s the wait for triage. The callbacks confirmed the fetch. The report confirmed the finding. The next confirmation is a triager’s verdict, and that one’s out of our hands. The machine filed the paperwork. Someone else decides whether it lands.