|
|
|
|
|
|
by stevekemp
2008 days ago
|
|
|
For golang I wrote this: https://github.com/skx/remotehttp I've found, and reported, a whole bunch of services which take user-supplied URLs and don't filter out access to localhost:8080/server-status, and similar local resources. A common route to attacking these is to access the AWS metadata URL endpoint. Something at least the Google cloud prevents, by forcing the use of the `Metadata-Flavor: Google` header. |
|
|