Server Side Request Forgery in AWS and why only IMDSv2 is not enough
One of the defense in depth solutions against SSRF on applications running on the AWS cloud is to upgrade to IMDSv2. The idea is that if a token is required as part of the header, an attacker cannot invoke the instance metadata endpoint using the SSRF. However, there are caveats.
In this talk we will see what you can achieve with SSRF attacks, how IMDSv2 prevents vanilla SSRFs from accessing the instance metadata and what scenarios exist in the real world where IMDSv2 can attacked to extract AWS EC2 metadata including keys to the kingdom (fancy phrase for overly privileged IAM instance role credentials) to compromise the entire AWS cloud platform on which the app or service is running.
We will look at a popular npm package that can cause your environment to become vulnerable when it’s deployed. We will end the talk with some tips on how we could still be safe while not trusting the protection that IMDSv2 offers.
More about Riyaz Walikar
Riyaz is the Co-Founder/Chief Hacker/CTO at Kloudle Inc, a Cloud Native Security Monitoring SaaS company. At Kloudle, his offensive security skills are used to identify and mimic attackers attempting to break-in to various cloud configurations to enhance Kloudle’s monitoring capabilities.
He is also an active security evangelist and researcher with over a decade of experience in the cyber security industry. His curiosity has led him to work in various aspects of Cloud Security, Kubernetes and Container Security, Web Application and Mobile Security, Network and System Penetration Testing, Wireless Network Security Assessment, Dynamic Malware Analysis, Threat Modelling, Windows Forensics, Security Code Review, Vulnerability Research, Exploit Development and Reverse Engineering.
He loves speaking at various conferences and community meetups and has been a speaker/trainer at numerous conferences including BlackHat, DefCon, OWASP AppSec and nullcon. He is also one of the chapter leaders of OWASP Bangalore and in the past has led community efforts at null (India’s largest open security community) as well.
When he is not writing/breaking code, you can find him dabbling in photography, stargazing, playing football, reading or fishing.