: The attacker submits the IMDS URL as a webhook.
The IP address is a link-local address used by major cloud providers (like Azure, AWS, and GCP) to host their Instance Metadata Service (IMDS) . : The attacker submits the IMDS URL as a webhook
: This is the "keys to the kingdom" request. It asks the IMDS to generate an OAuth 2.0 access token for the resource (like Key Vault, Storage, or SQL) that the VM is authorized to access. Why "Webhook-URL" makes it Dangerous It asks the IMDS to generate an OAuth 2
: The server, thinking it’s sending a notification to an external service, instead sends a GET request to the local metadata endpoint. Ensure your cloud configurations enforce these requirements
: Modern IMDS implementations require a specific HTTP header (like Metadata: true ) that cannot be easily forged in a simple SSRF attack. Ensure your cloud configurations enforce these requirements.