📰 Originally published on SecurityElites — the canonical, fully-updated version of this article. ⚠️ Authorised Testing Only. This article covers offensive vulnerability techniques including Server-Side Request Forgery (SSRF) and Cross-Site Request Forgery (CSRF). All techniques described are for educational purposes and legal security testing on systems you own or have explicit written permission to test. Unauthorised testing is illegal under the Computer Fraud and Abuse Act, the Computer Misuse Act, and equivalent laws worldwide. Always operate within a programme’s defined scope. A hunter I know spent three days building a solid report — detailed reproduction steps, impact analysis, the works. He filed it as CSRF. The programme triaged it, came back with a severity downgrade, and paid him $150. Two weeks later, reading someone else’s disclosure, he realised what he’d actually found: an SSRF vulnerability hitting an internal service.…