Server Side Request Forgery
Testing guide
- Change urls inside relevant API calls
- Beware for blacklist-based and whitelist-based input filters - obfuscate localhost
- SSRF with filter bypass via open redirection vulnerability
- Maybe check the referer header
- Spoof hostname
Attack surface
- Accessing resources unauthorized
Resources
