For example, if there is a web application running on an AWS EC2 instance, a user supplied input like would initiate a web request to the endpoint from the AWS EC2 resulting in a response being sent back to the client. In the most simple cases of an SSRF, a request to an attacker supplied URL is made from the server. What does the defence look like to an attacker With the introduction of the version 2 of the Instance Metadata by AWS, authentication is now a requirement to query the endpoint. When discovered on a cloud instance, things get a little more interesting as attackers can access the metadata instance, available via a APIPA range IP address over HTTP-, and accessible only from the target.įor AWS this has always been a cause for concern as there was no authentication present to access this instance, and no requirement for a custom header that both GCP and Azure have.Ī successful SSRF attack meant that the attacker would be able to query the instance and retrieve AWS EC2 specific information and in the worst case, temporary credentials attached to the AWS EC2.Īn attacker could then impersonate the role attached to the machine using the temporary credentials and do additional discovery or damage. Server Side Request Forgery can be an extremely lucrative finding to an attacker because of the ability to make requests from the target machine.
The technical side of how the Capital One breach occurred, the impact of the breach and what you can do as a user of cloud services to prevent this from happening to you - Background
Multiple scenarios to attack and exploit AWS misconfigurations which includes a scenario to perform SSRF on AWS EC2 on pre IMDSv2 setups.
Having blogged about exploiting SSRF on AWS EC2 instances in the past, we wanted to give you an update on where things stand now.
0 kommentar(er)
