https://slcyber.io/assetnote-security-research-center/novel-ssrf-technique-involving-http-redirect-loops/
This drove us nuts. Was there something special about the 305 status code? Even though we performed a redirect from 301 to 310, why did we only get the HTTP responses from status code 305 and beyond?
Was this an issue with libcurl? After extensive analysis of the libcurl source code and this application’s binary, we don’t think so.
Instead, we believe that the application was happy to follow a few redirects (and failing on JSON parsing) and was not happy about following more than the max redirects configured for libcurl. However, there was an error state when it followed more than five redirects, not handled by libcurl but rather by the application itself.
