Hunt SSRF

What it does

Provides a structured, field-tested methodology for discovering and validating SSRF vulnerabilities. Includes target prioritization (cloud metadata, Kubernetes, link-preview endpoints), out-of-band confirmation (Burp Collaborator / interactsh), payloads for cloud metadata and internal services, and bypass techniques for common filters. Also offers triage guidance to confirm impact and reproduceability.

When to use it

Use this skill during web application security testing, bug-bounty hunts, and red-team engagements when you need to systematically find SSRF sinks, confirm blind SSRF via OOB callbacks, and escalate findings to cloud credential exfiltration or internal service access. Ideal for endpoints that accept URLs, file imports, link previews, and headless-renderer features.

What's included

• Scripts: none embedded (has_scripts=false)
• References: none bundled (has_references=false)
• Instructions: step-by-step hunting methodology, OOB validation gate, payload examples (GCP/AWS/Azure metadata endpoints), JS/headless browser exfil patterns, port and internal service probes, and bypass tables (IP encodings, DNS rebinding, redirect chains).

Compatible agents

Inferable: agents with security-testing and network fetch tools (Claude Code, Hermes-like security assistants, LLM agents that can run curl/requests).