Classic Server-Side Request Forgery (SSRF) vulnerabilities are usually based on XXE or exploitable business logic that sends HTTP requests to URLs derived from user-controlled input. Routing-based SSRF relies on the use of intermediate components that are popular in many cloud-based architectures. This includes internal load balancers and reverse proxies.
These components receive requests and forward them to the appropriate backend. If they are not securely configured to forward requests that do not verify the host header, they may be manipulated to route requests incorrectly to any system chosen by the attacker.
These systems are good targets as they are often in a privileged network location, which allows them to receive requests directly from the public network and access many internal networks. This makes the host head a powerful carrier of SSRF attacks, and it is possible to transform a simple load balancer into a gateway to the whole internal network. Burp Collaborator can be used to help identify Routing-based SSRF vulnerabilities.
See also: Server-Side Request Forgery (SSRF)