Webhook-url-http-3a-2f-2f169.254.169.254-2fmetadata-2fidentity-2foauth2-2ftoken

CONTENTS: SCHEDULE INFO DISCOGRAPHY PROFILE FANCLUB GOODS CONTACT

Webhook-url-http-3a-2f-2f169.254.169.254-2fmetadata-2fidentity-2foauth2-2ftoken

Executive Summary * In total we found four Azure services vulnerable to SSRF: Azure API Management, Azure Functions, Azure Machine... Orca Security

Before sending the HTTP request, resolve the domain name via DNS. Check the resulting IP address against a strict blacklist containing private ranges (RFC 1918) and link-local ranges ( 169.254.0.0/16 ). 3. Upgrade to IMDSv2 / Enforce Security Headers

Blind SSRF → Cloud Takeover: Exploiting Callback ... - Medium

The URL is composed of several parts:

This path is unique to . When code running inside an Azure VM requests this endpoint, the local IMDS automatically issues a JSON Web Token (JWT) matching the VM's assigned Managed Identity. No password or private key is required because Azure assumes any traffic reaching this internal IP is legitimately originating from a trusted compute resource. The Attack Anatomy: Webhooks Meet SSRF What is a webhook? - Red Hat

These endpoints are – they are not accessible from the public internet. However, any process running inside the VM can reach them.

The stolen token can be used by the attacker to access any Azure resource the VM had permission to access, until the token expires (default 60 minutes). Executive Summary * In total we found four

In AWS, a similar attack would target http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME to obtain temporary AWS credentials. In GCP, it would be http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token .

Only permit webhooks to reach specific, trusted domains.

In Azure, this endpoint is used by Managed Identities for Azure resources to request OAuth2 access tokens, enabling the VM to authenticate to other Azure services (like Key Vault or Storage) without embedding credentials in code. Deciphering the Webhook URL The URL http://169.254.169 is specifically designed for: Identity: Requesting a managed identity token. OAuth2: Using the OAuth 2.0 protocol. Token: Fetching an access token. When code running inside an Azure VM requests

The full keyword webhook-url-http-3A-2F-2F169.254.169.254-2Fmetadata-2Fidentity-2Foauth2-2Ftoken is URL-encoded. Let’s break it down:

– URL encoding bypasses simple string blacklists that look for 169.254.169.254 or metadata . Attackers can also use decimal, octal, or IPv6 representations (e.g., http://[::ffff:169.254.169.254]/ ).

The documentation covers these technical aspects to ensure secure and efficient cloud operations. Share public link Attackers can also use decimal