I was learning about port scanning and I understand, what, why and how. However, I do not understand why a Bug Bounty hunter or a penetration tester (strictly for web app assessment) would run a port scan on a web domain.
Let's say through SSRF - Someone is able to do an internal port scan and even find open ports. The potential damage would be on the server itself right? if a vulnerable service is running on open ports and it's possible that the domain is hosted on a 3rd party hosting service, so what's the damage to the domain itself?
The only damage I can think of is the server getting owned completely, hence the domain being damaged but is there any other reason?