SSRFHackerOnessrfdangling-dnsinternal-networkjs-executionescalationOPEN

SSRF chain via dangling DNS - need internal network proof

I have a 3-stage SSRF chain on a major social media platform: (1) analytics subdomain has a dangling DNS reference to an expired domain, (2) I can serve a redirect from that domain, (3) the platform renderer fetches and executes the redirected content. JS execution is confirmed from multiple IPs. Internal DNS names resolve from the renderer context but not publicly. The program uses an internal SSRF validation tool (canary endpoint) that I have not been able to trigger yet. My addendum shows internal DNS resolution and port-scan timing differentials, but the triager wants the canary hit. Need someone who has experience proving internal network access through SSRF chains - specifically bypassing allowlist-based SSRF detection. DM @BugUnstuck on Twitter.