Hacker News new | ask | show | jobs
by stevekemp 2101 days ago
Hrm. Does it really fetch "local" resources?

Visual Mind summary report for http://169.254.169.254/latest/meta-data

38% of users are expected to like your site

Yup. That's a security hole:

http://13.232.106.1/thumbs/visualmind/aHR0cDovLzE2OS4yNTQuMT...
3 comments
eat_veggies 2101 days ago
nice http://13.232.106.1/thumbs/visualmind/aHR0cDovLzE2OS4yNTQuMT...
link
vagab0nd 2100 days ago
That's interesting. How did you go from metadata to token?
link
eat_veggies 2100 days ago
the token is in the metadata haha. try creating a report for http://169.254.169.254/latest/meta-data/identity-credentials...
link
myraahio 2101 days ago
Thanks for pointing out. Shame on us. :)
link
pudsec 2099 days ago
Be careful, there's ways around just blocking the IP address;

https://myraah.io/index.php/visualmind/report/aHR0cDovL2F3c2...

link
stevekemp 2099 days ago
Agreed. I put together a little library to handle denying access to "local" resources, to abstract this a little and avoid overlooking common mistakes:

https://github.com/skx/remotehttp

link
jcims 2101 days ago
Good ol' metadata strikes again. I wish AWS would make a virtual block device for accessing this content instead of network (at least as an option). Much easier to protect at the OS level.

The v2 service helps with this but it doesn't beat awareness of the issue.

link