In super simple terms, SSRF is Server-Side Request Forgery- it is a vuln when you are able to cause the webserver or application to make an http request to a resource it shouldn’t- providing you with information you shouldn’t be able to get access to.
Try seeing what URL’s you can get a reply from, either 404, etc- just seeing what variables you can trick an app into using user input for.
Parameters are your best friend, try making the rest of a URL a random parameter that the app will ignore, so your input/query runs as expected.
If you can bypass a savvy developer’s restrictions on requests, you’re golden
Try requesting 127.0.0.1 with a dns query that resolves to that ip
Other common internal IP’s or urlsi
Need to traverse a directory with a blocklist?
Try x/../<contenthere>
It may not know the x folder, but it will probably know the ../ folder of whatever the command is running in!
100% The best thing to do if you’re reading this short note section, is to just fiddle around with SSRF, there’s a lot that just “makes sense” when doing it practically that I can’t quite put into text :)