n a f f y | break out break in artist May 21
If you ever see any file / endpoint at *.company.com that is returning your HTTP headers when you hit it you can try and chain this with limited/intentional SSRFs to leak the associated request headers to grab Bearers / Tokens.