=== What is the potential impact?

SSRF usually results in unauthorized actions or data disclosure in the
vulnerable application or on a different system it can reach. Conditional to
what is reachable, remote command execution can be achieved, although it often
requires chaining with further exploitations.

Information disclosure is SSRF's core outcome. Depending on the extracted data,
an attacker can perform a variety of different actions that can range from low
to critical severity.

Below are some real-world scenarios that illustrate some impacts of an attacker
exploiting the vulnerability.

==== Local file read to host takeover

An attacker manipulates an application into performing a local request for a
sensitive file, such as `~/.ssh/id_rsa`, by using the File URI scheme
`file://`. +
Once in possession of the SSH keys, the attacker establishes a remote
connection to the system hosting the web application.

==== Internal Network Reconnaissance

An attacker enumerates internal accessible ports from the affected server or
others to which the server can communicate by iterating over the port field in
the URL `\http://127.0.0.1:{port}`. +
Taking advantage of other supported URL schemas (dependent on the affected
system), for example, `gopher://127.0.0.1:3306`, an attacker would be able to
connect to a database service and perform queries on it.