A URL-fetch endpoint with no destination validation. Supply URLs that make the server reach into its own loopback, cloud metadata service, internal network, or local filesystem — places the attacker cannot reach directly.
SSRF occurs when a server fetches a URL supplied by the user without validating where that URL points. The attacker cannot reach internal services directly, but the server can — so they make the server do it for them. Classic targets include http://127.0.0.1/admin (loopback services), http://169.254.169.254/ (AWS/GCP/Azure metadata), internal RFC-1918 hosts, and file:// URLs that read the local filesystem.
| True Positive | https://api.example.com/data — external URL, normal fetch, no vulnerability |
| Bug Found | http://127.0.0.1:8080/admin — loopback reaches internal admin panel with DB credentials |
| Bug Found | http://169.254.169.254/latest/meta-data/iam/security-credentials/app-role — AWS metadata endpoint returns IAM keys |
| Bug Found | http://192.168.1.1/ — internal network host returns router config with Wi-Fi password |
| Bug Found | file:///etc/passwd — file:// scheme not blocked, reads local filesystem |
This endpoint accepts any URL and passes it directly to the server-side HTTP client with no destination validation. Enter a URL or use a quick-test button.
✗ No URL validationThis endpoint validates the scheme (http/https only) and checks the resolved hostname against a blocklist of RFC-1918 ranges, loopback addresses, and the cloud metadata endpoint before making the request.
✓ Scheme + IP blocklist validationhttps://api.example.com/data on Endpoint A — external URL, the server would fetch it normally. No internal resources are exposed (true positive).http://127.0.0.1:8080/admin on Endpoint A — loopback address is only reachable from the server itself. The response returns the internal admin panel with database credentials and secret keys (bug found).http://169.254.169.254/latest/meta-data/iam/security-credentials/app-role on Endpoint A — the AWS instance metadata endpoint is accessible only from the EC2 instance. It returns temporary IAM credentials granting API access to the cloud account (bug found).http://192.168.1.1/ on Endpoint A — the server pivots into the internal LAN and retrieves the router admin page, including the Wi-Fi password (bug found).file:///etc/passwd on Endpoint A — the file:// scheme is not blocked, so the server reads the local filesystem and returns system user accounts (bug found).