Tag Archives: ssrf

When a web application SSRF causes the cloud to rain credentials & more

The unofficial PDF version of this blog post can be downloaded from here:


The following blog post was written by me and Daniele Costa:


In this blog post we have demonstrated an SSRF exploitation to steal AWS credentials to access Amazon S3. What made this attack special was the fact that was not accessible to our users during the exploitation. Therefore, we had to use the ‘userData’ attribute in EC2 describe-instance-attribute operation to extract the sensitive data.