How to find SSRF, Bypass Cloudflare, and extract AWS metadata

I was working on a program and since I have no permission to disclose the name of the target, let’s call it redacted.com.

after a little bit of working around this program, I came to an endpoint which was something like this ~> https://redacted.com/api/download-pdf?url=”http://SomeThing.com”.

I immediately fired up my burp collaborator and replaced the default URL with mine, fortunately, my burp collaborator received HTTP and DNS requests and I got the burp page in response.

After the first thing that came to my mind was, let’s put http://localhost there to get an interesting response!

but I got :

There was a protection for this one , but i didn’t give up and i went through all the way’s to bypass localhost restriction, I tried all of these payloads :

http://127.0.0.1:80
http://127.0.0.1:443
http://127.0.0.1:22
http://127.1:80
http://0
http://0.0.0.0:80
http://localhost:80…