Paste a URL the agent or backend is about to fetch. The analyzer decodes the host (decimal, hex, octal, alias), checks against cloud metadata IPs, RFC 1918, link-local, loopback, and unusual URL schemes, and surfaces eight SSRF-relevant findings.
Runs the canonical 4-stage hardening flow on the server: parse → pre-flight rule check → DNS resolve + re-check every IP (DNS-rebinding defence) → bounded fetch. Each stage's pass/fail is shown below.
169.254.169.254 (AWS, GCP, Azure) and 100.100.100.200 (Alibaba) are the SSRF target. Reading IAM credentials, service account tokens, and user-data from these endpoints has been the root cause of Capital One, multiple GCP misconfigurations, and many bug-bounty payouts. On AWS, only IMDSv2 (with required token) blocks naive SSRF. On all three, host-level firewalling of link-local from application processes is the durable fix.
169.254.169.254
Path matches a known cloud metadata URL (AWS /latest/meta-data, GCP /computeMetadata/v1, Azure /metadata/instance). Even if the host validator passed, the path strongly suggests an exfiltration attempt.
/latest/meta-data/iam/security-credentials/