Server-side request forgery is a class of attack that is not cloud or AWS specific. However, the existence of cloud metadata services, such as IMDS in AWS, have historically allowed for a substantial straightforward impact when SSRF is achieved on a cloud hosted application. For that reason, we include this list of SSRF attacks against AWS environments.
- October 2014 - Prezi Got Pwned: A Tale of Responsible Disclosure
- Bypassing SSRF Protection to Exfiltrate AWS Metadata from LarkSuite
- ESEA Server-Side Request Forgery and Querying AWS Meta Data
- A pair of Plotly bugs: Stored XSS and AWS Metadata SSRF
- Dropbox - Full Response SSRF via Google Drive
- Mandiant - Old Services, New Tricks: Cloud Metadata Abuse by UNC2903
- SSRF leads to access AWS metadata.
- Escalating SSRF to RCE
- SSRF Leads To AWS Metadata Exposure
- How I discovered an SSRF leading to AWS Metadata Leakage
- Exploitation of an SSRF vulnerability against EC2 IMDSv2
- Mozilla - AWS SSRF to Pull AWS Metadata and Keys
- Full read SSRF in www.evernote.com that can leak aws metadata and local file inclusion |
- SSRF allows reading AWS EC2 metadata using "readapi" variable in Streamlabs Cloudbot
- Server Side Request Forgery (SSRF) at app.hellosign.com leads to AWS private keys disclosure
- SSRF via Office file thumbnails
- Getting AWS creds via SSRF on rss.app
- AWS takeover through SSRF in JavaScript
- Yahoo Small Business (Luminate) and the Not-So-Secret Keys
- Bug Bounty Story: Escalating SSRF to RCE on AWS
- A Nifty SSRF Bug Bounty Write Up
- Mozilla Hubs Cloud: cloud api credentials exposure
- Lacework Labs: New surge in AWS credential compromises tied to Grafana SSRF attacks
- EC2 User-data to RCE
- Server Side Request Forgery (SSRF) via Analytics Reports
- SSRF to read AWS metaData at https://█████/ [HtUS]
- SSRF on █████████ Allowing internal server data access
- The Unusual Case of Status code- 301 Redirection to AWS Security Credentials Compromise
For more about this attack, please see Hacking the Cloud - Steal EC2 Metadata Credentials via SSRF