SSRF ( Server-Side Request Forgery )

🧠 What is SSRF ?

SSRF (Server-Side Request Forgery) is a vulnerability that allows an attacker to make the server send HTTP requests on their behalf. This can lead to:

Accessing internal services (e.g., 127.0.0.1, metadata services)
Bypassing IP whitelists or firewalls
Leaking sensitive information
Remote code execution in rare cases

🔍 What to Observe Before Testing for SSRF

Before testing, watch for any functionality where the application takes a URL or interacts with external resources, such as:

✅ Features to Look For :

Feature	Example
Image/file fetching	Upload a URL instead of a file
PDF generation from URLs	"Enter a link to generate PDF"
Webhooks	Application calls back to a given endpoint
Import functionality	“Import from Feed URL”
URL previews	Messaging apps that show a preview
SSRF behind the scenes	SSO/OAuth with dynamic `redirect_uri` or `callback_url`

⚠️ Parameters to Pay Attention To:

url
uri
target
next
data
callback
forward