Callback Servers

Motivation

Blind attacks are somewhat difficult, since you have to have a server that will listen to the callback. XSS Hunter is a great tool, but you have to self-host it now.

But what if I want to have a blind SSRF? Why not have a generic server listening on requests and notifying me about interactions. Something like Burp Collaborator.

Since platform is meant to save you time and allow you to do exciting stuff while hacking, this feature registers a subdomain and a unique URL for your own logical server hosted by BountyHub. That way, whenever your payload fires, you already have a listener running all the time, and you can see the interaction with the website.

How it works?

Callback server is hosted by BountyHub platform. It is located under [UNIQUE_SUBDOMAIN].callback.bountyhub.org subdomain.

Whenever you register a new server, new globally unique subdomain is registered with it. Internally, it works slightly differently, but you can think of it as a separate server listening on new connections. The unique subdomain is required, so people cannot guess your server and trigger faulty notifications.

The server contains the catch-all route. Every path is recorded along with headers and the request body. The server is listening both on HTTP and HTTPs ports.

Registering your own server.

On the sidebar, you will notice the Callback tab.

Once there, please click on the Register Server

Then in a dropdown, you can edit and configure your notifications, and see all interactions with your server. Good luck!