Request-url-http-3a-2f-2f169.254.169.254-2flatest-2fmeta - Data-2fiam-2fsecurity Credentials-2f

If a server-side script executes shell commands that include user input, an attacker might inject:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

  "Code": "Success",
  "LastUpdated": "2023-04-12T16:55:44Z",
  "Type": "AWS4",
  "AccessKeyId": "ASIAQHJYEXAMPLE123",
  "SecretAccessKey": "6P+RveEXAMPLEKeyHere123",
  "SessionToken": "IQoJc2Vhc3QtMSJIMEYCIQCEXAMPLETokenValue123==",
  "Expiration": "2023-04-12T23:55:44Z"

Use host-based firewalls (iptables, nftables) to restrict access to 169.254.169.254 to only trusted processes, or block it entirely. If a server-side script executes shell commands that

iptables -A OUTPUT -d 169.254.169.254 -j DROP

Note on Encoding: The use of URL encoding (e.g., %3A for :, %2F for /) is a standard evasion technique used to bypass Web Application Firewalls (WAFs) or input sanitization logic that might be looking for the string 169.254.169.254 in plaintext. %3A for :

The requested URL targets the Instance Metadata Service (IMDS) of an Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instance. This is not a standard external website; rather, it is a specialized internal HTTP endpoint that exists on every AWS EC2 instance. The URL is encoded to bypass standard input validation filters often found in web applications. Use host-based firewalls (iptables

The attempt to access this URL indicates a likely Server-Side Request Forgery (SSRF) attack. The goal of the attacker is to trick the server into querying itself to retrieve sensitive IAM (Identity and Access Management) security credentials. If successful, this allows the attacker to hijack the permissions of the compromised server, potentially leading to full cloud account takeover.