SSRF Notes NOTE : Wanted to have everything at one place, these are my reference notes from various bug bounty write ups & security research, I thank all the authors of the write ups mentioned below [will update if i find anything interesting] Description In an SSRF attack against the server itself, the attacker induces the application to make an HTTP request back to the server that is hosting the application, via its loopback network interface. This will typically involve supplying a URL with a hostname like 127.0.0.1 (a reserved IP address that points to the loopback adapter) or localhost (a commonly used name for the same adapter). Many server-side request forgery vulnerabilities are relatively easy to spot, because the application's normal traffic involves request parameters containing full URLs Blind SSRF Blind SSRF vulnerabilities arise when an application can be induced to issue a back-end HTTP request to a