When a web application SSRF causes the cloud to rain credentials & more

The unofficial PDF version of this blog post can be downloaded from here:

https://soroush.secproject.com/downloadable/when-a-web-application-ssrf-causes-the-cloud-to-rain-credentials-and-more.pdf

The following blog post was written by me and Daniele Costa:

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/when-a-web-application-ssrf-causes-the-cloud-to-rain-credentials-and-more/

In this blog post we have demonstrated an SSRF exploitation to steal AWS credentials to access Amazon S3. What made this attack special was the fact that http://169.254.169.254/latest/meta-data/iam/ was not accessible to our users during the exploitation. Therefore, we had to use the ‘userData’ attribute in EC2 describe-instance-attribute operation to extract the sensitive data.