SSRF Bug Leads To AWS Metadata Exposure

How can you leverage an SSRF (“Server Side Request Forgery”) vulnerability to evade filters and leak internal AWS credentials on a web application? Today I will discuss how I managed to utilize a webpage screenshot feature to bypass certain filters and exfiltrate server side AWS Metadata.

Introduction

While looking through a certain BBP (“Bug Bounty Program”) I came across an interesting feature in the application. This feature allowed for a user to supply any URL and have the specified webpage captured as an image which would then be provided back to the user.

This feature appeared very interesting because if there were any errors in its configuration or input validation, its functionality could provide an attacker a wide variety of different attack methods. This includes possibly accessing endpoints on the website that I do not otherwise have access to, having the server request any domain of my choosing, and being able to request local resources on the server to screenshot and view myself.

Below I will walk through the methods I applied to attempt to discover flaws in this functionality. Many of these attempts failed but after continuously testing this functionality, it led me to one method that successfully returned any AWS metadata from the back-end server that I requested.