Cloud Metadata SSRF
What is Cloud Metadata SSRF?
Cloud Metadata SSRFA server-side request forgery attack that abuses a vulnerable application to query a cloud provider's instance metadata service and steal temporary credentials.
Cloud metadata SSRF abuses an application that fetches URLs on behalf of the user to make the underlying virtual machine query its instance metadata service (IMDS), typically at 169.254.169.254. The response contains environment data and, crucially, short-lived IAM credentials bound to the instance role. The Capital One breach of 2019, attributed to Paige Thompson, used this technique against a misconfigured AWS WAF to obtain credentials and download over one hundred million customer records from S3. Mitigations include enforcing IMDSv2 with session tokens, network-level egress filtering to 169.254.169.254, minimal instance role permissions, and rigorous SSRF input validation in proxies and image fetchers.
● Examples
- 01
An image-resizing endpoint that retrieves http://169.254.169.254/latest/meta-data/iam/security-credentials/ to steal role credentials.
- 02
Capital One 2019: SSRF against a vulnerable WAF returns AWS keys later used to read S3 buckets.
● Frequently asked questions
What is Cloud Metadata SSRF?
A server-side request forgery attack that abuses a vulnerable application to query a cloud provider's instance metadata service and steal temporary credentials. It belongs to the Cloud Security category of cybersecurity.
What does Cloud Metadata SSRF mean?
A server-side request forgery attack that abuses a vulnerable application to query a cloud provider's instance metadata service and steal temporary credentials.
How does Cloud Metadata SSRF work?
Cloud metadata SSRF abuses an application that fetches URLs on behalf of the user to make the underlying virtual machine query its instance metadata service (IMDS), typically at 169.254.169.254. The response contains environment data and, crucially, short-lived IAM credentials bound to the instance role. The Capital One breach of 2019, attributed to Paige Thompson, used this technique against a misconfigured AWS WAF to obtain credentials and download over one hundred million customer records from S3. Mitigations include enforcing IMDSv2 with session tokens, network-level egress filtering to 169.254.169.254, minimal instance role permissions, and rigorous SSRF input validation in proxies and image fetchers.
How do you defend against Cloud Metadata SSRF?
Defences for Cloud Metadata SSRF typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Cloud Metadata SSRF?
Common alternative names include: Instance metadata SSRF, IMDS SSRF.
● Related terms
- cloud-security№ 079
AWS IMDSv1 Attack
Theft of EC2 instance role credentials by sending unauthenticated GET requests to the legacy IMDSv1 endpoint, typically via SSRF.
- cloud-security№ 190
Cloud Token Theft
Stealing OAuth, SAML, or signing tokens from a cloud identity service and replaying them to impersonate users or services without needing passwords.
- cloud-security№ 183
Cloud Data Exfiltration
The unauthorized copy or transfer of data out of a cloud account, often via object storage APIs, snapshots, replication, or attacker-controlled accounts.
- cloud-security№ 505
IAM Privilege Escalation
Abusing existing cloud IAM permissions to gain higher privileges, often via policy editing, role passing, or self-granting administrative rights.
- attacks№ 1008
Server-Side Request Forgery (SSRF)
A web vulnerability that allows an attacker to coerce a server into making HTTP or other network requests on their behalf, often against internal systems.
● See also
- № 211Container Escape