➡Change single character
➡Sending empty value of token
➡Replace the token with same length
➡Changing POST / GET method
➡Remove the token from request
➡Use another user's valid token
➡Try to decrypt hash
🏹Use The Whole IP Range For Testing SSRF
(198.0.0.1-255) #bugbounty
. . .
🏹Obfuscate Strings In URL Encode or Case Transformation (Blocked Words Bypass)
🏹Use Registered Domain Names That Resolves To 127.0.0.1
➡Try changing the request method, for example POST to GET
➡Try remove the value of the captcha parameter
➡Try reuse old captcha token
➡Convert JSON data to normal request parameter
➡Using "X-Original-URL" header
➡Appending %2e after the first slash
➡Try add dot (.) slash (/) and semicolon (;) in the URL
➡Add "..;/" after the directory name
➡Try to uppercase the alphabet in the url