0Pricing
Ethical Hacking Academy · Lesson

Metadata and SSRF

Cloud-specific attacks.

The Instance Metadata Service

Every cloud VM can query a special internal endpoint to learn about itself: the Instance Metadata Service (IMDS). Critically, it can also hand out the temporary credentials of the role attached to the instance.

  • AWS / GCP / Azure all expose metadata at 169.254.169.254
  • It is reachable only from inside the instance
  • It requires no authentication from local processes

This convenience becomes a weapon when combined with SSRF.

Reading AWS Metadata (IMDSv1)

In the legacy IMDSv1, a single GET request returns metadata, including role credentials. No token needed.

This is exactly what makes IMDSv1 dangerous when an app has SSRF.

# List roles attached to the instance
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Retrieve the temporary credentials for a role
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/app-role

All lessons in this course

  1. Cloud Attack Surface
  2. IAM Misconfigurations
  3. S3 and Storage Exposure
  4. Metadata and SSRF
← Back to Ethical Hacking Academy