SSRF Bug Leads To AWS Metadata Exposure

5 min readOct 26, 2022

How can you leverage an SSRF (“Server Side Request Forgery”) vulnerability to evade filters and leak internal AWS credentials on a web application? Today I will discuss how I managed to utilize a webpage screenshot feature to bypass certain filters and exfiltrate server side AWS Metadata.

Introduction

While looking through a certain BBP (“Bug Bounty Program”) I came across an interesting feature in the application. This feature allowed for a user to supply any URL and have the specified webpage captured as an image which would then be provided back to the user.

This feature appeared very interesting because if there were any errors in its configuration or input validation, its functionality could provide an attacker a wide variety of different attack methods. This includes possibly accessing endpoints on the website that I do not otherwise have access to, having the server request any domain of my choosing, and being able to request local resources on the server to screenshot and view myself.

Below I will walk through the methods I applied to attempt to discover flaws in this functionality. Many of these attempts failed but after continuously testing this functionality, it led me to one method that successfully returned any AWS metadata from the back-end server that I requested.

The Hunt

The very first few attempts I made to try and manipulate this into returning sensitive information were relatively simple. This included adding endpoints from the current domain that would contain sensitive information. I thought by doing so, I could view these pages with heightened privileges since the request originated from the back-end server, which may be linked to a high privilege account. These tests included endpoints such as:

/admin
/oauth/token
/api/v1/user

After multiple attempts, it showed that the server was not authenticated to the application, and it would just return the login page for the site. Therefore I knew exploiting this would not end up being as simple as that and I would have to attempt other techniques if I wanted to find a bug within it.

SSRF Bug Leads To AWS Metadata Exposure

Introduction

The Hunt

Written by Raymond Lind

More from Raymond Lind

SSRF & LFI In Uploads Feature

Hello fellow hackers, today I will discuss how I found a Server-Side Request Forgery (SSRF) which lead to a Local File Inclusion (LFI) that…

Stored XSS To Cookie Exfiltration

Today I will be explaining an XSS (“Cross Site Scripting”) vulnerability I found in a private bug bounty program that allowed me to…

How I Found A Simple Stored XSS

This is the story of how I found my first Stored XSS (“Cross Site Scripting”) vulnerability in a bug bounty program and a walk through on…

Finding Reflected XSS In A Strange Way

Today I will be talking about how I foua reflected XSS (“Cross Site Scripting”) vulnerability in a very popular bug bounty program and…

Recommended from Medium

SSRF (LAB)

Description

Blind SSRF - The Tray

Redbull Reward

Lists

General Coding Knowledge

Coding & Development

Stories to Help You Grow as a Software Developer

ChatGPT

S3 Bucket Enumeration: Research and Insights

This report provides a comprehensive exploration of S3 bucket enumeration, a critical aspect of cloud security research focused on…

Chaining CORS by Reflected XSS to Steal Sensitive Data

My name is Mohammad Reza Omrani and in this post, I will describe a vulnerability I recently discovered.

How I found an XSS via multiple parameters

Hello everyone, after receiving a generous reward at Bugcrowd for an XSS, I would like to share a discovery from a Bug Bounty I found a…

Server-side Request Forgery (SSRF)

Ways to attack the defense set for SSRF attack