SSRF via APIs

any endpoint that fetches a URL (image proxy, link preview, webhook, OEmbed, /import) is a tunnel an attacker can point at your internal network. Cloud metadata and IMDS, the bypass tricks (redirects, parser confusion, DNS rebinding), blind SSRF, protocol smuggling, and webhook SSRF.