/allowlist · sink: requests.get
requests.get
Only fetches if the URL 'contains' vulnlab.dev — which the validator checks the wrong way.
Fetch
The check is `'vulnlab.dev' in url`. The trusted token doesn't have to be in the host. Try a path or query string.
View source for this lab →