hunt-ssrf

## Crown Jewel Targets SSRF is highest-value when the target runs on cloud infrastructure (AWS, GCP, Azure) where metadata services expose credentials, or when the server sits inside a complex internal network (Kubernetes clusters, microservice meshes, internal APIs). Priority targets: - **Cloud-hosted SaaS products** (GCP metadata at `169.254.169.254` or `metadata.google.internal`, AWS IMDSv1) - **Kubernetes/orchestration platforms** — aggregated API servers, metrics-server, kubelet endpoints expose privileged cluster operations - **Internal developer tooling** — CI/CD, workflow orchestration (Flyte, Argo), admin panels not exposed externally - **Link preview / URL fetching features** — Reddit-style preview APIs, Slack-style unfurling, media processors - **Dataset/file import pipelines** — anything that fetches remote URLs on behalf of a user - **Enterprise self-hosted software** (GitHub Enterprise, GitLab) — SSRF frequently chains to RCE via internal services Payouts are highest when SSRF reaches: cloud credentials → account takeover, internal admin APIs → data exfil, or chains to RCE. --- ## OOB-Or-It-Didn't-Happen Gate (Read First) **Claims of blind SSRF require an out-of-band (OOB) confirmation. Always. No exceptions.** OOB means: a Burp Collaborator domain, an `interactsh-client` listener, a canarytoken, or any DNS+HTTP receiver you control that confirms the server actually made an outbound network connection on your behalf. ### What is NOT confirmation of SSRF ...