Webhook-url-http-3a-2f-2f169.254.169.254-2fmetadata-2fidentity-2foauth2-2ftoken |top| Instant

This URL represents a vulnerability and should not be used as a legitimate feature.

This specific endpoint targets the . It is heavily abused by adversaries attempting to extract temporary OAuth 2.0 access tokens assigned to a cloud virtual machine. If an application accepts unfiltered user-defined URLs for webhooks, it risks exposing its entire cloud infrastructure to data exfiltration or total tenant compromise. Anatomy of the Payload

# From inside an Azure VM with Managed Identity enabled curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -H 'Metadata: true' This URL represents a vulnerability and should not

The IP address 169.254.169.254 is a link-local address used by cloud providers (specifically Azure in this context) to provide metadata to running virtual machine instances.

Implement egress filtering that alerts or blocks any outbound HTTP request to 169.254.169.254 except from explicitly allowed processes (e.g., legitimate CLI tools like az or aws ). Most application servers should never need to fetch the metadata service manually—they use SDKs that handle it internally. If an application accepts unfiltered user-defined URLs for

Understanding the SSRF Risk: webhook-url-http-3A-2F-2F169.254.169.254-2Fmetadata-2Fidentity-2Foauth2-2Ftoken

Protecting your applications from SSRF via webhooks requires a approach. Most application servers should never need to fetch

: Explicitly block requests to Link-Local addresses (like 169.254.169.254 ) and private IP ranges (RFC 1918).

– URL encoding bypasses simple string blacklists that look for 169.254.169.254 or metadata . Attackers can also use decimal, octal, or IPv6 representations (e.g., http://[::ffff:169.254.169.254]/ ).

169.254.169.254 is a used by major cloud providers (AWS, Azure, GCP, etc.) to expose instance metadata. In Azure, the full endpoint for managed identity tokens is: