http://google.internal endpoint allows Google Cloud resources to securely retrieve identity and authorization information without embedding secrets. To prevent SSRF attacks, requests must include the Metadata-Flavor: Google
In a standard environment, this URL is used by applications to get their own identity. However, if this string appears in your web logs or as a URL parameter (e.g., ?url=http://...), it often means an attacker is trying to exploit an SSRF vulnerability. Potential Impact of a Successful Request:
axios.get(url, headers ) .then(res => console.log(res.data.access_token)) .catch(err => console.error(err)); http://google
Buckets of Fun: Getting Backstage at the DEFCON 31 Cloud ...
The Metadata Server is an internal, non-routable service accessible only from within a running Google Cloud resource (like a VM or Cloud Run instance). It acts as a secure repository for: Instance details: Name, ID, zone, and custom tags. Project info: Project ID and numeric project number. Buckets of Fun: Getting Backstage at the DEFCON 31 Cloud
What is the Google Compute Engine Metadata Server?
The server logs captured the event. Because the logging system was set to record the input parameters exactly as they were received, it didn't store the decoded URL. It stored the raw, ugly input string. ugly input string. Use cases
Use cases