If an attacker enters http://169.254.169 into a poorly secured webhook field, they are attempting an . They are trying to trick the cloud server into making a request to its own internal metadata service. The Attack Scenario:
: Explicitly block requests to Link-Local addresses (like 169.254.169.254 ) and private IP ranges (RFC 1918).
GET http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/ Metadata: true If an attacker enters http://169
) to block the web application's user ID from making any requests to the link-local address 169.254.169.254 Resecurity Python script example
Let's break it down.
In the world of web application security, few attack vectors are as insidious—and as widely misunderstood—as Server-Side Request Forgery (SSRF). One particular pattern has emerged as a hallmark of sophisticated cloud-native attacks: a webhook URL pointing to the internal metadata service, often encoded as webhook-url-http-3A-2F-2F169.254.169.254-2Fmetadata-2Fidentity-2Foauth2-2Ftoken . This seemingly cryptic string decodes to http://169.254.169.254/metadata/identity/oauth2/token , a direct request to a cloud instance’s metadata endpoint to steal OAuth2 tokens.
Think of it as a "mirror" for a virtual machine or container. Any code running inside that instance can call this address to learn about itself—its ID, its network settings, and most importantly, its . The Webhook Vulnerability: SSRF GET http://169
It allows an application running on a VM to securely retrieve information about its environment (e.g., VM size, network configuration, public keys) without needing to authenticate with a username or password.