SSRF To Fetch AWS Metadata #213
Description
Description
Server-side request forgery is a web security vulnerability that allows an attacker to cause the server-side application to make requests to an internal location.And as you are using AWS Instance I am able to fetch AWS metadata.
Steps To Reproduce
- Log in to your account and navigate to the Flows section.
- Send a GET request to the following endpoint:
http://169.254.169.254/latest/meta-data - You will receive a response containing AWS instance metadata.
Expected behavior
The server should have blocked or restricted all internal network requests, especially to sensitive endpoints like the AWS metadata service (http://169.254.169.254/). External users should not be able to make requests to internal resources using user-controllable input.
Screenshots
461808149-0d6eeae8-0a09-4e84-a9c4-365e2567216e.mp4
Impact
The Server-Side Request Forgery (SSRF) vulnerability allows an attacker to force the server to make arbitrary HTTP requests. In this case, the attacker is able to access the internal metadata service at http://169.254.169.254/, which is a special IP used by cloud providers like Vultr to expose sensitive instance information.
By exploiting this vulnerability, an attacker can:
- Access internal metadata such as:
- instance-id, mac, local-ipv4, and hostname
- public-ipv4 and network config details
- Enumerate internal services or network infrastructure
- Attempt to exfiltrate or abuse cloud-specific metadata (such as credentials in user-data, or tokens if available)
- Use it as a stepping stone to elevate privileges or gain deeper access into the cloud infrastructure
Even though user-data is empty in this case, the SSRF is still critical, as it proves that internal services are accessible — and future cloud config changes may expose sensitive content.