AWS Tackling Server Side Request Forgery

New Amazon EC2 (Amazon Elastic Compute Cloud) instances are capable of defending exploitation attempts using common GET-based SSRF (Server Side Request Forgery) vulnerabilities. The IMDSv2 (Instance Metadata Service Version 2) now mitigates such endeavour by restricting the metadata service using conditional authentication:

  1. A HTTP-PUT request to 169.254.169.254/latest/api/token needs to be made for generating a token using a custom HTTP-header x-aws-ec2-metadata-token-ttl-seconds which holds the number of seconds the requested token is valid for.
  2. The requested token needs to be delivered via a new custom HTTP-header called x-aws-ec2-metadata-token when interacting with the Instance Metadata Service.

This will successfully eliminate GET-based SSRF in AWS environments.


Last modified on 2021-12-15

Comments Disabled.