Skip to content

Beginner Friendly red team icon   aws

SSRF to Pwned

Learn how EC2 instance metadata makes SSRF vulnerabilities much more dangerous!

Overview

We created this beginner-friendly lab to showcase how a Server Side Request Forgery (SSRF) vulnerability can potentially be much more severe, when the website is hosted on an EC2 instance.

Scenario

Rumors are swirling on hacker forums about a potential breach at Huge Logistics. Your team has been monitoring these conversations closely, and Huge Logistics has asked you to assess the security of their website. Beyond the surface-level assessment, you're also to investigate links to their cloud infrastructure, mapping out any potential risk exposure. The question isn't just if they've been compromised, but how deep the rabbit hole goes.

Lab prerequisites
Basic Linux command line knowledge
Learning outcomes
  • Familiarity with the AWS CLI
  • Web enumeration and SSRF identification
  • Understanding of EC2 instance metadata, and how it can facilitate further access
    S3 bucket enumeration
  • Understanding of mitigations and best practices that could have prevented the attack
Real-world context

The Capital One breach was carried out by exploiting a SSRF vulnerability, which allowed the attacker to send requests to resources that should have been inaccessible. This vulnerability was used to access metadata of an AWS EC2 instance, which then provided the attacker with security credentials for an IAM role that had excessive permissions. This allowed the attacker to access data stored in an AWS S3 bucket that contained sensitive information of Capital One customers.

The data breach resulted in the exposure of personal information of over 100 million people in the United States and 6 million people in Canada. The exposed data included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Also compromised were customer status data, credit scores, credit limits, balances, payment history, contact information, and fragments of transaction data.

The breach was a major event in cybersecurity and has led to extensive discussions about cloud security, the principle of least privilege, and the appropriate use of security measures like firewalls and monitoring systems. It highlighted the need for organizations to rigorously follow best practices for securing their systems and data. This attack scenario was in part possible due to insecure default settings, and is still exploitable at the time of writing.