- Comment
- Reblog
-
Subscribe
Subscribed
Already have a WordPress.com account? Log in now.
- Privacy
Modern cloud applications rely heavily on webhooks to automate real-time communication between different software systems. When a specific event occurs, a web application sends an automated HTTP request to a URL specified by the user. While this feature creates seamless integrations, it also introduces one of the most critical security vulnerabilities in cloud computing: Server-Side Request Forgery (SSRF).
If the server doesn’t add the required Metadata: true header, the IMDS will reject the request (Azure requires it). But many SSRF attacks can still succeed if the server includes default headers – some HTTP libraries automatically add Host , User-Agent , and sometimes even forward custom headers.
SSRF to AWS Metadata Exposure: How Attackers Steal Cloud ...
To understand why this string is highly sensitive, we must break down its individual technical components.
Azure protects its metadata service by requiring a specific HTTP header ( Metadata: true ) for IMDS requests. This prevents basic SSRF attacks where the attacker cannot manipulate HTTP headers. Ensure your cloud configurations enforce strict header validation and block any automated scripts or proxies that bypass this check. 2. Implement Strict Webhook Whitelisting Modern cloud applications rely heavily on webhooks to
The vulnerable web application fails to validate the URL. It assumes the URL belongs to a legitimate external service (like Slack or Stripe) and initiates a backend HTTP request.
It doesn't look like a normal webhook (e.g., https://slack.com/... ). Instead, it is an .
def is_safe_webhook_url(raw_url): # Decode percent-encoding first decoded_url = unquote(raw_url) parsed = urlparse(decoded_url)
And a response:
http://169.254.169.254/metadata/identity/oauth2/token
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs...", "expires_in": "86399", "token_type": "Bearer"
Applications that generate PDFs from user-supplied URLs (e.g., “Export to PDF” features) often fetch the URL server-side. An attacker can supply the metadata endpoint, and the PDF generator will fetch it, rendering the token inside a PDF that the attacker can download.
: If the application displays the webhook response (e.g., in a "Test Webhook" log) or if the attacker can influence the request headers to send the result to their own server, they can steal this token. Resecurity Impact of Compromise How Orca Found SSRF Vulnerabilities in 4 Azure Services If the server doesn’t add the required Metadata:
The service does:
The string http-3A-2F-2F169.254.169.254-2Fmetadata-2Fidentity-2Foauth2-2Ftoken is a URL-encoded version of a standard Azure IMDS path.
– Azure’s managed identity endpoint is predictable and well-documented. Attackers don’t need to guess.
DBADEEDS