The specific path /metadata/identity/oauth2/token is unique to Microsoft Azure's Instance Metadata Service. When a virtual machine or container requests this endpoint, the Azure infrastructure returns an OAuth 2.0 access token matching the identity (Managed Identity) assigned to that server. How the Attack Works: Server-Side Request Forgery (SSRF)
: Beyond just token retrieval, the metadata service endpoint provides a range of information about the VM, such as its ID, name, type, and more. This can be incredibly useful for automated configuration and management tasks.
At first glance, webhook-url-http-3A-2F-2F169.254.169.254-2Fmetadata-2Fidentity-2Foauth2-2Ftoken looks like a mess of percent-encoding and hyphens. Let’s decode it step by step.
The string webhook-url-http-3A-2F-2F169.254.169.254-2Fmetadata-2Fidentity-2Foauth2-2Ftoken is a clear indicator of malicious intent or active penetration testing. It serves as a reminder that webhook features cannot be treated as simple out-of-the-box HTTP clients. Without strict input parsing, robust network isolation, and hardened metadata configurations, a user-facing webhook feature can easily transform into an open doorway to your entire cloud architecture. This can be incredibly useful for automated configuration
Those tokens can be used to access other cloud resources like databases, storage buckets (S3/Blob), or Key Vaults.
Blind SSRF → Cloud Takeover: Exploiting Callback ... - Medium
Ensure your Azure VMs use IMDS v2, which requires session authentication, making it much harder for attackers to steal tokens via simple SSRF. Conclusion The string webhook-url-http-3A-2F-2F169
An attacker finds a feature that asks for a URL (like a webhook or image uploader). Payload: They enter the Azure Metadata URL. Execution: Your server fetches the URL internally.
[Attacker] │ │ 1. Submits malicious webhook URL: http://169.254.169... ▼ [Vulnerable Cloud Application Server] │ │ 2. Server trusts the input and makes an internal HTTP request ▼ [Azure Instance Metadata Service (IMDS)] │ │ 3. Validates internal request and generates OAuth2 Token ▼ [Vulnerable Cloud Application Server] │ │ 4. Leaks/Exposes token response back to attacker ▼ [Attacker Client] (Achieves Cloud Infrastructure Access)
http://169.254.169.254/metadata/identity/oauth2/token providing information about the instance's identity
The IP address 169.254.169.254 is a used by all major cloud service providers (AWS, Azure, GCP) to provide instance metadata to running virtual machines. This endpoint is only accessible from within the virtual machine itself, providing information about the instance's identity, network configuration, and assigned roles without requiring external authentication. The Specific Webhook: /metadata/identity/oauth2/token
A legitimate request from inside an Azure VM looks like this: GET http://169.254.169 HTTP/1.1 Metadata: true Use code with caution.