/redirect · sink: requests.get
Validator only checks the submitted URL's hostname. The fetcher chases 302s.
The validator allows hosts ending in .vulnlab.dev. This server hosts a redirector at /r/?to=<url> — so a fetch to https://ssrf.vulnlab.dev/r/?to=<internal> passes validation and then follows the redirect.