|
|
|
|
|
|
by mdeeks
3005 days ago
|
|
|
That is actually pretty scary from a security perspective because of SSRF attacks. Basically if I can get your service to make an HTTP request on my behalf then I can get at your secrets. Suppose you have a service that fetches snippets from user pasted links (like Slack does). All I have to do is paste a link of "http://localhost:5000?key=my-api" and your server would return a snippet containing the secret. Thats why Google Cloud and others require a special header to be set. Hopefully Odin does the same?
https://cloud.google.com/compute/docs/storing-retrieving-met... |
|
|
https://ionize.com.au/stealing-amazon-ec2-keys-via-xss-vulne...