SSRF in cloud-hosted (mock Azure) app

/metadata-azure · sink: requests.get

Azure-style metadata + managed-identity. The app injects Metadata: true.

Hint

Azure IMDS is at http://169.254.169.254/metadata/. Try /metadata/instance?api-version=2021-02-01 and then /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/.

View source for this lab →