SSRF via PDF Generator? Yes, and It Led to EC2 Metadata Access

Blogger Abhijeet Kumawat has disclosed how a simple curiosity about the backend process that creates a PDF invoice for an Amazon Web Services (AWS) Metadata feature, led to a wider investigation and ultimately access to the metadata itself, entirely bypassing the need for any kind of authentication.
He explains in some detail how using a simple manipulation of the URL, using a local host redirect, he was able to access the AWS metadata, an aspect of cloud storage that typically provides access to information such as instance ID, IP address, user ID and more.
The discovery has serious implications, particularly for those who favour cloud storage as increasingly popular yet secure storage facility for important and sensitive data.
Kumawat demonstrates that by simply understanding the inherent trust between different elements of the cloud, and by creatively applying that trust in unexpected ways, it’s possible to gain penetrating, unauthorised, access to some of the most sensitive data held in the cloud.

Fast Feed