SSRF is a vulnerability where an attacker coerces a server into making HTTP or other requests to a destination the attacker chooses. Because the request originates from the trusted backend, it can reach internal services, localhost, and cloud metadata endpoints that are unreachable externally. The SSRF generator crafts these payloads with IP-encoding tricks.
Point the vulnerable request at the cloud metadata service to harvest credentials. AWS uses http://169.254.169.254/latest/meta-data/ (IMDSv2 requires a token header), GCP uses metadata.google.internal with the Metadata-Flavor: Google header, and Azure uses 169.254.169.254/metadata with an api-version parameter. Stolen instance role keys often enable lateral movement.
Filters that blocklist 127.0.0.1 or 169.254.169.254 often miss alternate representations. Try decimal 2130706433, octal 0177.0.0.1, hex 0x7f000001, IPv6-mapped [::ffff:127.0.0.1], and shorthand like 127.1. DNS rebinding and an attacker-controlled hostname that resolves to an internal IP can also slip past name-based allowlists.
Yes, the SSRF generator is free and operates 100% client-side, so the target URLs and encoded payloads you generate are never sent anywhere. It is intended only for authorized security testing such as bug bounties, pentests, and CTFs on systems you are permitted to test.