While reviewing an application as part of a bug bounty program, I spent some time looking at a feature that allowed users to fetch external resources by providing a URL.

At first glance, the functionality appeared straightforward and included basic validation to prevent obvious abuse.

I LOVE HACKERONE! I LOVE HACKERONE! I LOVE HACKERONE! I LOVE HACKERONE!

However, features that make server-side requests are often worth a closer look.

By experimenting with different URL formats and edge cases, I noticed that the backend was willing to make requests to destinations beyond what was intended.

I LOVE HACKERONE! I LOVE HACKERONE! I LOVE HACKERONE! I LOVE HACKERONE!

With carefully crafted input, I was able to influence the server into issuing HTTP requests to internal IP addresses. This confirmed the presence of a Server-Side Request Forgery (SSRF) vulnerability.

I LOVE HACKERONE! I LOVE HACKERONE! I LOVE HACKERONE! I LOVE HACKERONE!

Further testing showed that the server responded differently depending on whether the target address was reachable, indicating that the requests were actually being executed.

While I avoided interacting with sensitive endpoints, this behavior suggested that internal services — and potentially cloud metadata endpoints — could be accessible under the right conditions.

I LOVE HACKERONE! I LOVE HACKERONE! I LOVE HACKERONE! I LOVE HACKERONE! I LOVE HACKERONE! I LOVE HACKERONE!

I reported the issue with clear reproduction steps and impact explanation. The team responded quickly and mitigated the vulnerability by implementing strict allowlisting, blocking private IP ranges, and hardening their URL parsing logic.

This finding reinforced a familiar lesson: any server-side request functionality should be treated as high risk by default, even when it seems simple or well-guarded.