{"id":5178,"date":"2025-04-11T08:56:58","date_gmt":"2025-04-11T08:56:58","guid":{"rendered":"https:\/\/signmycode.com\/blog\/?p=5178"},"modified":"2025-04-11T08:57:00","modified_gmt":"2025-04-11T08:57:00","slug":"amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf","status":"publish","type":"post","link":"https:\/\/signmycode.com\/blog\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf","title":{"rendered":"Amazon EC2 Instance Metadata Targeted via Server-Side Request Forgery (SSRF)"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-introduction\">Introduction<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">CVE Trends, Vulnerabilities of SSRF On March 25, 2024, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory about an increasing yet commonly overlooked web application vulnerability, Server-Side Request Forgery (SSRF). <\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/signmycode.com\/blog\/what-is-server-side-request-forgery-ssrf-types-impact-mitigate-prevention\">SSRF<\/a> has been known by security practitioners for several years; however, more recently, it is clear from the dataset that this vector is increasingly being weaponized by more sophisticated threat actors, particularly in cloud environments. With Automation, short patch cycles, and complex systems integrations, SSRF has evolved into a significant cyber risk.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In cloud environments such as <a href=\"https:\/\/signmycode.com\/blog\/what-is-aws-ec2-everything-about-ec2-fundamentals-in-aws\"><strong>AWS EC2<\/strong><\/a>, SSRF can be used to extract metadata, steal credentials, and compromise services. Understanding how EC2 works is crucial to building better security models and protecting cloud-native apps from these kinds of attacks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-exploiting-ec2-instance-metadata-through-ssrf\">Exploiting EC2 Instance Metadata through SSRF<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Server-Side Request Forgery (SSRF) is a vulnerability in which a malicious user convinces an application server to make HTTP requests without intending to. A web application decides to use user input as part of a request to another server without proper validation or sanitization. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">An SSRF will allow an attacker to bypass some sort of security control and potentially access some sort of restricted internal resources.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Recommended:<\/strong> <a href=\"https:\/\/signmycode.com\/blog\/what-is-cross-site-request-forgery-csrf-example-mitigation-and-prevention\">What is Cross-Site Request Forgery (CSRF)? Example, Mitigation and Prevention<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A classic SSRF use case is one targeting cloud environments, such as AWS EC2 instances. By exploiting a vulnerable server to direct a request to the AWS metadata endpoint (http:\/\/169.254.169.254), an attacker can retrieve temporary credentials, such as access keys and tokens. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With these credentials, an attacker can compromise a given cloud account and\/or act on behalf of that cloud account to manipulate cloud services. This use case provides an example of how an exploitable bug in an otherwise innocuous web application can turn into a complete infrastructure compromise.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In addition to leaking credentials, SSRF can be used for a port scan of internal IPs, managing and accessing management panels, and more. An SSRF can also be chained with a <a href=\"https:\/\/signmycode.com\/blog\/what-is-remote-code-execution-types-impact-technique-and-prevention\">Remote Code Execution (RCE)<\/a> for complete system compromise. Outright, SSRF takes your trusted servers and turns them into weapons against you.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-real-world-ssrf-campaigns-in-2023-2024\">Real-World SSRF Campaigns in 2023\u20132024<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">According to the recent NSA-CISA advisory, SSRF is not a theoretical attack issue anymore, as adversaries, including Chinese nation-state actors and other advanced persistent threats (APTs), have begun using SSRF for initial access and lateral movement. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These attackers leverage improperly configured API complexes, unrestricted outbound traffic, and servers that trust internal URLs.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"has-normal-font-size wp-block-paragraph\">A well-publicized example is the Capital One breach in 2019, where a former employee of AWS exploited an SSRF vulnerability in combination with an improperly configured Web Application Firewall (WAF) to retrieve over 100 million customer records. <\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">This demonstrated how an SSRF exploit, augmented by typical infrastructural issues such as a poorly configured firewall, can lead to catastrophic data exfiltration. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The discovery of the <strong>Spring4Shell vulnerability in 2022 <\/strong>has also been very important in this particular discussion. Although it was not an SSRF vulnerability, it did reveal metadata endpoints to the attackers, enabling them to have some level of indirect SSRF-like access to those endpoints.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Similarly, Log4Shell attacks were also often followed by SSRF to enumerate further access. These examples show how SSRF can be leveraged and turned into an exponential force multiplier, in that once risk factors are identified and MITRE techniques established, SSRF gives attackers the ability to further enumerate existing access in the internal privileged network.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-prevent-ssrf-attacks-with-these-tips-and-best-practices\">Prevent SSRF Attacks With These Tips and Best Practices<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To stop SSRF attacks before they impact your infrastructure, security teams must enforce input validation, restrict internal access, and apply zero-trust principles across internal services. Use metadata protection tools like <strong>AWS IMDSv2<\/strong>, implement allow-listed egress filters, and monitor all outbound traffic for unusual patterns. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For complete guidance, read our full breakdown on <a href=\"https:\/\/signmycode.com\/blog\/what-is-server-side-request-forgery-ssrf-types-impact-mitigate-prevention\"><strong>SSRF types, impact, and mitigation<\/strong><\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-conclusion\">Conclusion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Because SSRF is emerging as a top threat vector, security practitioners in development, DevOps, and security leadership need to take it seriously. Attackers are automating attacks and will often find instances of website and web service configurations that mis-implement cloud services. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SSRF may even result in significant breaches of data and full compromise of infrastructure. Adapting to mitigate these risks means recognizing that you should not simply focus on outside attacks; we also need to protect our services that are internal and private.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction CVE Trends, Vulnerabilities of SSRF On March 25, 2024, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory about an increasing yet commonly overlooked web application vulnerability, Server-Side Request Forgery (SSRF). SSRF has been known by security practitioners for several years; however, more recently, it&hellip; <a class=\"more-link\" href=\"https:\/\/signmycode.com\/blog\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf\">Read More <span class=\"screen-reader-text\">Amazon EC2 Instance Metadata Targeted via Server-Side Request Forgery (SSRF)<\/span><\/a> <\/p>\n","protected":false},"author":1,"featured_media":5180,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[458,457],"tags":[823,824],"class_list":["post-5178","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-security","category-developers-guide","tag-amazon-ec2-instance-metadata-hacked","tag-amazon-ec2-instance-metadata-ssrf-attack","entry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v24.6 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Amazon EC2 Instance Metadata Targeted via SSRF<\/title>\n<meta name=\"description\" content=\"Discover the latest exploited Server-Side Request Forgery (SSRF) vulnerabilities on websites hosted in EC2 instances on AWS.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/signmycode.com\/blog\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Amazon EC2 Instance Metadata Targeted via Server-Side Request Forgery (SSRF)\" \/>\n<meta property=\"og:description\" content=\"Discover the latest exploited Server-Side Request Forgery (SSRF) vulnerabilities on websites hosted in EC2 instances on AWS.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/signmycode.com\/blog\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf\" \/>\n<meta property=\"og:site_name\" content=\"SignMyCode - Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-11T08:56:58+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-04-11T08:57:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2025\/04\/amazon-ec2-ssrf-attack.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"912\" \/>\n\t<meta property=\"og:image:height\" content=\"453\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Janki Mehta\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Janki Mehta\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf\",\"url\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf\",\"name\":\"Amazon EC2 Instance Metadata Targeted via SSRF\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/amazon-ec2-ssrf-attack.webp\",\"datePublished\":\"2025-04-11T08:56:58+00:00\",\"dateModified\":\"2025-04-11T08:57:00+00:00\",\"description\":\"Discover the latest exploited Server-Side Request Forgery (SSRF) vulnerabilities on websites hosted in EC2 instances on AWS.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/signmycode.com\\\/blog\\\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf#primaryimage\",\"url\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/amazon-ec2-ssrf-attack.webp\",\"contentUrl\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/amazon-ec2-ssrf-attack.webp\",\"width\":912,\"height\":453,\"caption\":\"Amazon EC2 Instance SSRF Bug\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Amazon EC2 Instance Metadata Targeted via Server-Side Request Forgery (SSRF)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/\",\"name\":\"SignMyCode - Blog\",\"description\":\"Code Signing News, Updates\",\"publisher\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/#organization\",\"name\":\"SignMyCode.com\",\"url\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/logo1.png\",\"contentUrl\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/logo1.png\",\"width\":135,\"height\":86,\"caption\":\"SignMyCode.com\"},\"image\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Amazon EC2 Instance Metadata Targeted via SSRF","description":"Discover the latest exploited Server-Side Request Forgery (SSRF) vulnerabilities on websites hosted in EC2 instances on AWS.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/signmycode.com\/blog\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf","og_locale":"en_US","og_type":"article","og_title":"Amazon EC2 Instance Metadata Targeted via Server-Side Request Forgery (SSRF)","og_description":"Discover the latest exploited Server-Side Request Forgery (SSRF) vulnerabilities on websites hosted in EC2 instances on AWS.","og_url":"https:\/\/signmycode.com\/blog\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf","og_site_name":"SignMyCode - Blog","article_published_time":"2025-04-11T08:56:58+00:00","article_modified_time":"2025-04-11T08:57:00+00:00","og_image":[{"width":912,"height":453,"url":"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2025\/04\/amazon-ec2-ssrf-attack.webp","type":"image\/jpeg"}],"author":"Janki Mehta","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Janki Mehta","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/signmycode.com\/blog\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf","url":"https:\/\/signmycode.com\/blog\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf","name":"Amazon EC2 Instance Metadata Targeted via SSRF","isPartOf":{"@id":"https:\/\/signmycode.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/signmycode.com\/blog\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf#primaryimage"},"image":{"@id":"https:\/\/signmycode.com\/blog\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf#primaryimage"},"thumbnailUrl":"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2025\/04\/amazon-ec2-ssrf-attack.webp","datePublished":"2025-04-11T08:56:58+00:00","dateModified":"2025-04-11T08:57:00+00:00","description":"Discover the latest exploited Server-Side Request Forgery (SSRF) vulnerabilities on websites hosted in EC2 instances on AWS.","breadcrumb":{"@id":"https:\/\/signmycode.com\/blog\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/signmycode.com\/blog\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/signmycode.com\/blog\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf#primaryimage","url":"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2025\/04\/amazon-ec2-ssrf-attack.webp","contentUrl":"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2025\/04\/amazon-ec2-ssrf-attack.webp","width":912,"height":453,"caption":"Amazon EC2 Instance SSRF Bug"},{"@type":"BreadcrumbList","@id":"https:\/\/signmycode.com\/blog\/amazon-ec2-instance-metadata-targeted-via-server-side-request-forgery-ssrf#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/signmycode.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Amazon EC2 Instance Metadata Targeted via Server-Side Request Forgery (SSRF)"}]},{"@type":"WebSite","@id":"https:\/\/signmycode.com\/blog\/#website","url":"https:\/\/signmycode.com\/blog\/","name":"SignMyCode - Blog","description":"Code Signing News, Updates","publisher":{"@id":"https:\/\/signmycode.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/signmycode.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/signmycode.com\/blog\/#organization","name":"SignMyCode.com","url":"https:\/\/signmycode.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/signmycode.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2021\/10\/logo1.png","contentUrl":"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2021\/10\/logo1.png","width":135,"height":86,"caption":"SignMyCode.com"},"image":{"@id":"https:\/\/signmycode.com\/blog\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/posts\/5178","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/comments?post=5178"}],"version-history":[{"count":3,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/posts\/5178\/revisions"}],"predecessor-version":[{"id":5184,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/posts\/5178\/revisions\/5184"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/media\/5180"}],"wp:attachment":[{"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/media?parent=5178"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/categories?post=5178"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/tags?post=5178"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}