The URL in question, http://169.254.169.254/latest/meta-data/iam/security-credentials/ , is an endpoint provided by AWS for instances running within its ecosystem. The IP address 169.254.169.254 is a link-local address that serves as an entry point to the AWS Instance Metadata Service. This service allows AWS instances to access metadata about themselves without the need for explicit configuration.
If successful, an attacker can use these credentials to impersonate your server and access other AWS services, such as: S3 Buckets : Downloading sensitive customer data. EC2 Instances : Modifying or terminating infrastructure. Secrets Manager : Extracting database or API keys. The URL in question, http://169
: The vulnerable server, thinking it is fetching a legitimate resource, makes an internal HTTP request to the metadata IP. If successful, an attacker can use these credentials
: Success allows the attacker to steal the AccessKeyId , SecretAccessKey , and Token of the IAM role attached to that server. : The vulnerable server, thinking it is fetching
AWS now offers IMDSv2, which requires a session-oriented token (a PUT request to get a token before a GET request for data). This effectively blocks most SSRF attacks because the attacker cannot easily perform the multi-step handshake through a simple URL parameter.
First, let’s decode the URL-encoded string:
The attacker is likely testing a "callback" or "webhook" feature in your application. By providing this internal URL, they are checking if your server will fetch the data and return it to them or trigger an action they can monitor. Potential Impact If the attack is successful, the consequences include: