: Ensure your cloud "Managed Identities" have only the bare minimum permissions. If a token is stolen, the damage is limited to what that specific identity can do.
: The attacker inherits whatever permissions are assigned to that virtual machine’s Managed Identity. If the VM has Reader, Contributor, or Owner access to the Azure Subscription, the attacker now shares that power.
The metadata endpoint:
The use of this URL could indicate a potential threat, as it may be an attempt to: : Ensure your cloud "Managed Identities" have only
At first glance, the string looks like gibberish – a mix of letters, numbers, and percent signs. However, it is a of a sensitive internal endpoint:
: Only permit URLs matching a pre-approved list of domains.
What (e.g., Node.js, Python, Java) powers your webhook system? If the VM has Reader, Contributor, or Owner
The IP address 169.254.169.254 is a link-local address, meaning it is only accessible from within the virtual machine (VM) and never leaves the host network. 1. What is the IMDS Token Endpoint?
/metadata/identity/oauth2/token This specific endpoint is used to request access tokens for Azure resources. If accessed with the correct headers (specifically Metadata: true ), Azure returns a JSON response containing an access_token . An attacker who retrieves this token can use it to authenticate to Azure services (like Key Vault, Storage, or SQL) as that virtual machine.
It contains highly sensitive configuration data about the cloud environment. What (e
You cannot block access to 169.254.169.254 because the VM needs it for normal operation. Summary Table: Webhook vs. Metadata Description Endpoint
The service does:
This article explores the mechanics, use cases, and security implications of using the endpoint to acquire OAuth2 access tokens, specifically via the URL format often utilized in webhook configurations: http://169.254.169.254/metadata/identity/oauth2/token .
If the server doesn’t add the required Metadata: true header, the IMDS will reject the request (Azure requires it). But many SSRF attacks can still succeed if the server includes default headers – some HTTP libraries automatically add Host , User-Agent , and sometimes even forward custom headers.