Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Cloud metadata publicly exposed - Vulnerability Database

Cloud metadata publicly exposed

Description

A misconfigured reverse proxy allows attackers to manipulate HTTP request headers or parameters to control where the proxy routes requests. This configuration weakness enables Server-Side Request Forgery (SSRF), where an attacker can force the server to make requests to unintended destinations, including internal cloud metadata endpoints (such as AWS EC2 metadata at 169.254.169.254, Azure Instance Metadata Service, or GCP metadata server) that should not be publicly accessible.

Remediation

Configure the reverse proxy to restrict routing destinations and prevent access to internal resources:

1. Implement allowlist-based routing: Only permit proxying to explicitly approved destination hosts. Reject all other requests.

2. Block cloud metadata endpoints: Explicitly deny requests to cloud metadata IP addresses (169.254.169.254, fd00:ec2::254) and internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8).

3. Validate user-controlled input: If the proxy destination is derived from user input (headers, query parameters, or path components), validate it against a strict allowlist before processing.

Example for NGINX:

# Validate the Host header against allowed backends
map $http_host $allowed_backend {
    default "";
    "api.example.com" "http://backend1.internal:8080";
    "app.example.com" "http://backend2.internal:8080";
}

server {
    listen 80;
    
    # Block requests to cloud metadata and internal IPs
    if ($http_host ~* "169\.254\.169\.254|fd00:ec2::|localhost|127\.0\.0\.1") {
        return 403;
    }
    
    # Only proxy if the Host header matches allowlist
    location / {
        if ($allowed_backend = "") {
            return 403;
        }
        proxy_pass $allowed_backend;
        proxy_set_header Host $host;
    }
}
Example for Apache:
# Deny access to metadata endpoints
<Location "/">
    # Block cloud metadata IPs
    ProxyMatch "^http://169\.254\.169\.254/.*" !
    ProxyMatch "^http://127\.0\.0\.1/.*" !
    
    # Only allow specific backends
    ProxyPassMatch "^/api/(.*)$" "http://backend1.internal:8080/$1"
    ProxyPassMatch "^/app/(.*)$" "http://backend2.internal:8080/$1"
</Location>
4. Apply defense in depth: Use network segmentation, firewall rules, and cloud security groups to prevent the application server from accessing metadata endpoints even if the proxy is bypassed.

References

What is Server Side Request Forgery (SSRF)?
Trust No One: The Perils of Trusting User Input

Related Vulnerabilities

VMware vCenter vcavbootstrap Arbitrary File Read High
Common tags: SSRF Information Disclosure
Trace.axd Detected High
Common tags: Information Disclosure
WordPress Plugin Gallery-Flagallery Photo Portfolio Information Disclosure (4.24) High
Common tags: Information Disclosure
WordPress Plugin Forums 'url' Parameter Arbitrary File Disclosure (1.4.3) High
Common tags: Information Disclosure
WordPress Plugin Google Doc Embedder Arbitrary File Disclosure (2.4.6) High
Common tags: Information Disclosure

Severity

High

Classification

CWE-918
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

SSRF
Information Disclosure