Depends of program rules:
This involves the manipulation of a web app such that server-side code (e.g. PHP) is executed.
Investigate only with the IDs of your own test accounts — do not leverage the issue against other users' data — and describe your full reproduction process in the report.
Cross-site request forgery
When designing a real-world example, either hide the form (
Server-side request forgery
The impact of a SSRF bug will vary — a non-exhaustive list of proof of concepts includes:
Local file read
Make sure to only retrieve a harmless file. Check the program security policy as a specific file may be designated for testing.
XML external entity processing
Output random harmless data.
Claim the sub-domain discreetly and serve a harmless file on a hidden page. Do not serve content on the index page.
# Bug bounty Report
# Vulnerability details
# Proof of concept
# Browsers verified in