1. Switch to the Burp Project options | Misc tab. Note the Burp Collaborator Server section. You have options available for using a private Burp Collaborator server, which you would set up, or you may use the publicly internet-accessible one made available by PortSwigger. For this recipe, we will use the public one:

2. Check the box labeled Poll over unencrypted HTTP and click the Run health check… button:

3. A pop-up box appears to test various protocols to see whether they will connect to the public Burp Collaborator server available on the internet.

4. Check the messages for each protocol to see which are successful. Click the Close  button when you are done:

5. From the top-level menu, select Burp | Burp Collaborator client:

6. A pop-up box appears. In the section labeled Generate Collaborator payloads, change the 1 to 10:

7. Click the Copy to clipboard button.  Leave all other defaults as they are. Do not close the Collaborator client window. If you close the window, you will lose the client session:

8. Return to the Firefox browser and navigate to OWASP 2013 | A1 – Injection (Other) | HTML Injection (HTMLi) | DNS Lookup:

9. On the DNS Lookup page, type an IP address and click the Lookup DNS button:

10. Switch to the Burp Proxy | HTTP history tab and find the request you just created on the DNS Lookup page. Right-click and select the Send to Intruder option:

11. Switch to the Burp Intruder | Positions tab. Clear all suggested payload markers and highlight the IP address, click the Add § button to place payload markers around the IP address value of the target_host parameter:

12. Switch to the Burp Intruder | Payloads tab and paste the 10 payloads you copied to the clipboard from the Burp Collaborator client into the Payload Options [Simple list] textbox using the Paste button:

Make sure you uncheck the Payload Encoding checkbox.

13. Click the Start attack button. The attack results table will pop up as your payloads are processing. Allow the attacks to complete. Note the burpcollaborator.net URL is placed in the payload marker position of the target_host parameter:

14. Return to the Burp Collaborator client and click the Poll now button to see whether any SSRF attacks were successful over any of the protocols. If any requests leaked outside of the network, those requests will appear in this table along with the specific protocol used. If any requests are shown in this table, you will need to report the SSRF vulnerability as a finding. As you can see from the results shown here, numerous DNS queries were made by the application on behalf of the attacker-provided payloads: