Featured image of post Operation: Redacted - From SSRF to Internal Metadata Access
Offensive

Operation: Redacted - From SSRF to Internal Metadata Access

A technical breakdown of a recent bug bounty finding.

Executive Summary

During a routine reconnaissance phase on a private bug bounty program, I identified an Out-of-Band SSRF vulnerability in the PDF generation engine.

The Chain

  1. Discovery: Identified an endpoint /api/v1/generate accepting a source_url parameter.
  2. Bypass: Used a DNS rebinding technique to bypass the internal IP blacklist.
  3. Impact: Successfully retrieved AWS metadata credentials from 169.254.169.254.
# Example payload used
curl -X POST [https://target.com/api/v1/generate?source_url=http://](https://target.com/api/v1/generate?source_url=http://)[redacted].com/metadata