# Step 1: Generate a Token (Valid for 6 hours / 21600 seconds) TOKEN=$(curl -X PUT "http://169.254.169" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") # Step 2: Request the credentials using the header token curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169 Use code with caution.
http://169.254.169 is a critical endpoint within the AWS Instance Metadata Service (IMDS) used to retrieve temporary security credentials assigned to an EC2 instance. While essential for IAM role authentication, this endpoint is a primary target for Server-Side Request Forgery (SSRF) attacks, which can lead to credential theft and privilege escalation. To mitigate these risks, AWS introduced IMDSv2, which uses a session-oriented, token-based approach to protect against unauthorized metadata access. Implementing IMDSv2 and adopting the principle of least privilege are key security practices for securing this data.
: The attacker aims to steal the temporary credentials, which can then be used from outside the AWS environment to gain unauthorized access to your cloud resources, such as S3 buckets or other EC2 instances. IMDS Versioning :
An attacker finds an input field (like a profile picture uploader via URL, or a PDF generator) that is vulnerable to SSRF.
From that day forward, Alex roamed the kingdom with ease, using their newfound understanding of the mystical URL and the secrets it held. The URL, once a cryptic string of characters, had become a key to unlocking the kingdom's hidden paths and secrets. # Step 1: Generate a Token (Valid for
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Canβt copy the link right now. Try again later.
: By appending /latest/meta-data/iam/security-credentials/ to the metadata service URL, the instance requests its IAM security credentials.
The requested URL targets the of an Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instance. This is not a standard external website; rather, it is a specialized internal HTTP endpoint that exists on every AWS EC2 instance. The URL is encoded to bypass standard input validation filters often found in web applications.
When cyber security analysts or automated Web Application Firewalls (WAFs) flag this keyword in their logs, they are looking at a partially URL-encoded string. Decoding the Request To mitigate these risks, AWS introduced IMDSv2, which
The string you provided appears to be an . It could originate from:
: Accessing this path typically returns the name of the IAM role. Appending that role name to the URL (e.g., .../iam/security-credentials/ ) provides the access key, secret key, and session token. Security Context
Recommendations * Validate and sanitize user-supplied URLs. * Block requests to internal IP ranges like 254.169.254 (IMDS) * Log a... Hacking Articles
IMDSv2 adds and a required PUT header ( X-aws-ec2-metadata-token ). This blocks many SSRF attacks because simple GET requests are ignored. IMDS Versioning : An attacker finds an input
"Code": "Success", "LastUpdated": "2023-04-12T16:55:44Z", "Type": "AWS4", "AccessKeyId": "ASIAQHJYEXAMPLE123", "SecretAccessKey": "6P+RveEXAMPLEKeyHere123", "SessionToken": "IQoJc2Vhc3QtMSJIMEYCIQCEXAMPLETokenValue123==", "Expiration": "2023-04-12T23:55:44Z"
This feature is commonly used in deployment scripts running on EC2 instances to access AWS resources securely. For example, an EC2 instance might use these credentials to upload logs to S3, make changes to DynamoDB, or process data in SQS queues.
This IP is only accessible from within the virtual machine (VM) or container itself. It cannot be routed over the public internet.
SSRF occurs when an attacker can cause a web application to send a crafted request to an unexpected destination. The Attack Scenario