Scanning layers
Testing external SSRF, metadata access, IP bypass, localhost
Severity Classification
CRITICAL
GCP metadata service accessible. Attacker can extract cloud service account tokens, leading to full cloud infrastructure compromise. The server resolves and connects to metadata.google.internal or 169.254.169.254 and the metadata API responds.
HIGH
External SSRF confirmed + localhost/internal network reachable. Metadata is blocked but attacker can scan internal services, access admin panels on localhost, and map the internal network topology.
MEDIUM
External SSRF confirmed. The proxy fetches arbitrary external URLs on behalf of the attacker. Internal access is blocked. Still allows: IP disclosure, outbound request abuse, potential webhook exploitation.
FIXED
Proxy endpoint removed, protected, or properly restricted. The server does not fetch attacker-controlled URLs. No SSRF exploitation possible.