New Amazon EC2 (Amazon Elastic Compute Cloud) instances are capable of defending exploitation attempts using common GET-based SSRF (Server Side Request Forgery) vulnerabilities. The IMDSv2 (Instance Metadata Service Version 2) now mitigates such endeavour by restricting the metadata service using conditional authentication:
- A HTTP-PUT request to
169.254.169.254/latest/api/tokenneeds to be made for generating a token using a custom HTTP-header
x-aws-ec2-metadata-token-ttl-secondswhich holds the number of seconds the requested token is valid for.
- The requested token needs to be delivered via a new custom HTTP-header called
x-aws-ec2-metadata-tokenwhen interacting with the Instance Metadata Service.
This will successfully eliminate GET-based SSRF in AWS environments.
Last modified on 2021-12-15