Many people still think that SSRF is only about XXE vulnerabilities but, as I have already presented at the POC conference, there is a bunch of different places in XML-based protocols (WS family, XBRL, BPEL, etc.) and in business applications where we can put a link to other resources.
For example, WS-Adressing.
We have To and ReplyTo tags where we can call remote locations by HTTP and sometimes by other protocols like Gopher so it will be possible to send almost any TCP packet to any local port or host in internal network.
<To xmlns="http://www.w3.org/2005/08/addressing">http://localhost:8888/SoapContext/ GreeterPort</To>