It is possible to bypass current SSRF checks using a redirection via the location header.
1.) Mock a redirect endpoint using https://beeceptor.com/
2.) Add Location: http://localhost:1122
as a response header and set the status code to 301
3.) Listen on port 1122
4.) Access the following resource: /proxy?url=http://<id>.free.beeceptor.com
(http
is important here)
5.) The request will be made to localhost:1122
From my understanding the code implements its own redirection handling by reading the location header and doing a new request. But this happens after setInstanceFollowRedirects
is set to true. By setting it to true the connection will follow redirects automatically before any checks.