SSRF to RCE: Exploiting Cloud Metadata Services in Production

Overview

Server-Side Request Forgery (SSRF) remains one of the most impactful vulnerability classes in cloud-hosted applications. In this engagement, a seemingly low-severity SSRF in a PDF generation feature escalated to full infrastructure compromise.

The Vulnerability

The application had a feature that generated PDF reports from user-supplied URLs. While the application filtered obvious internal IPs, it did not account for cloud metadata endpoints.

POST /api/reports/generate
{"template_url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}

Exploitation Chain

1. **SSRF Discovery** — The PDF generator fetched arbitrary URLs server-side
2. **Metadata Access** — Reached the AWS metadata service at 169.254.169.254
3. **Credential Theft** — Extracted temporary IAM credentials from the instance role
4. **Lateral Movement** — Used stolen credentials to access S3 buckets and internal APIs
5. **RCE** — Leveraged SSM permissions to execute commands on EC2 instances

Remediation

• Implement IMDSv2 (requires session tokens for metadata access)
• Use allowlists for outbound requests, not blocklists
• Run document processing in isolated, network-restricted containers
• Apply least-privilege IAM policies to instance roles

Takeaway

Cloud metadata services are a high-value target for attackers. If your application makes server-side HTTP requests, ensure metadata endpoints are unreachable — and enforce IMDSv2 as a defense-in-depth measure.