Curl-url-http-3a-2f-2f169.254.169.254-2flatest-2fapi-2ftoken

However, the simplified command in your keyword: curl http://169.254.169.254/latest/api/token — , not the credentials themselves. Still, in a real attack, once the attacker has this token, they can use it to fetch IAM credentials.

: Once you have the $TOKEN , you use it in subsequent requests to fetch metadata (like IAM credentials) by adding the header -H "X-aws-ec2-metadata-token: $TOKEN" . Wiz x Cloud Security Championship: Perimeter Leak

This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.

While convenient, this simple request-response architecture became a primary target for attackers exploiting vulnerabilities. If a web application running on an EC2 instance had an SSRF flaw, an external attacker could trick the application into fetching the metadata—including IAM secret keys—and returning it to the attacker. IMDSv2: The Session-Oriented Model curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken

Once you have the token, you must pass it inside the X-aws-ec2-metadata-token header to fetch actual metadata:

import requests

curl http://169.254.169.254/latest/meta-data/ (Direct request, vulnerable to SSRF). However, the simplified command in your keyword: curl

curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"

When an attacker or a security researcher decodes this, they see:

Most SSRF vulnerabilities rely on simple GET requests via misconfigured URL parsers or file-inclusion flaws. Because IMDSv2 requires both a PUT method and a custom header ( X-aws-ec2-metadata-token-ttl-seconds ), generic SSRF exploits fail to retrieve tokens. 2. Open Proxy and WAF Protections Wiz x Cloud Security Championship: Perimeter Leak This

The instance makes a PUT request to /latest/api/token to generate a temporary session token.

: Because the token requires a PUT request and a specific custom header ( X-aws-ec2-metadata-token-ttl-seconds ), standard SSRF tools and exploit strings fail to breach the metadata wall.

Some older instances or custom AMIs may still have IMDSv1 only. You can check with: