This page is served through the application's SSRF vulnerability
This page is hosted on an attacker-controlled server but rendered under the application's domain. Because the browser treats this as same-origin content, all cookies, localStorage, and session tokens for this domain are accessible to this page.
Cookies (including session tokens) are readable via JavaScript. An attacker can steal authenticated sessions and impersonate any user who visits this URL.
Because the browser address bar shows the company's legitimate domain, a fake login form (demonstrated below) would appear fully trustworthy — bypassing user suspicion and browser phishing warnings.
JavaScript on this page can make authenticated fetch() calls to the application's internal APIs, exfiltrate data, modify records, or perform actions as the victim user.
Tokens, JWTs, user preferences, and cached data stored in browser storage are fully accessible and can be exfiltrated silently.
The SSRF endpoint itself can be abused to scan internal hosts and services (e.g., cloud metadata at 169.254.169.254, internal APIs, databases) that are not reachable from the internet.
The form below demonstrates how an attacker could present a fake login page that appears to be served from the company's domain. Users would have no visual indicator that this is malicious.