Directly incorporating user input into a HTTP request without validating the input can facilitate Server Side Request Forgery (SSRF) attacks. In these attacks, the server may be tricked into making a request and interacting with an attacker-controlled server.
To guard against SSRF attacks, it is advisable to avoid putting user input directly into the request URL. Instead, maintain a list of authorized URLs on the server; then choose from that list based on the user input provided.
The following example shows an HTTP request parameter being used directly in a forming a new request without validating the input, which facilitates SSRF attacks. It also shows how to remedy the problem by validating the user input against a known fixed string.