The payload contains URL-encoded characters ( -3A-2F-2F and -2F ). When properly decoded, the string translates to: http://169.254.169 2. The Link-Local IP Address ( 169.254.169.254 )
To understand how this attack works, we must first decode the URL and analyze its individual components. 1. URL Decoding the Request
The encoded form webhook-url-http-3A-2F-2F169.254.169.254-2Fmetadata-2Fidentity-2Foauth2-2Ftoken is dangerous for several reasons:
[Attacker] │ │ 1. Submits malicious webhook URL: http://169.254.169... ▼ [Vulnerable Cloud Application Server] │ │ 2. Server trusts the input and makes an internal HTTP request ▼ [Azure Instance Metadata Service (IMDS)] │ │ 3. Validates internal request and generates OAuth2 Token ▼ [Vulnerable Cloud Application Server] │ │ 4. Leaks/Exposes token response back to attacker ▼ [Attacker Client] (Achieves Cloud Infrastructure Access)
With an OAuth2 token scoped to the managed identity, an attacker can: The payload contains URL-encoded characters ( -3A-2F-2F and
If your system accepts webhook URLs from users, you are vulnerable. Here is the fix:
At first glance, the string looks like gibberish – a mix of letters, numbers, and percent signs. However, it is a of a sensitive internal endpoint:
Methods to for the managed identity to minimize security risks.
Attackers can use the identity to pivot across the cloud network, deploying malicious resources, modifying access controls, or deleting critical infrastructure. Defensive Strategies: How to Protect Webhook Infrastructure ▼ [Vulnerable Cloud Application Server] │ │ 2
Thus:
: The vulnerable application server processes the request. Because the request originates inside the server, the server queries its own local link-local IP ( 169.254.169.254 ).
Applications that accept user-defined URLs should utilize a strict validation system:
| Encoded | Character | Reason | |---------|-----------|--------| | %3A | : | Separates scheme from host | | %2F | / | Path separator | What is this URL?
While specific examples are often undisclosed, a common pattern is CI/CD platforms that allow custom webhooks. Suppose a build tool accepts a callback_url to notify external systems of job completion. An attacker sets the callback URL to http-3A-2F-2F169.254.169.254-2Fmetadata-2Fidentity-2Foauth2-2Ftoken?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net . The server unescapes the string, fetches the token, and sends it back in the webhook response (or logs it). The attacker then uses the token to read production secrets from Key Vault.
If you spend any time in cloud security or penetration testing, you will eventually memorize one IP address: 169.254.169.254 .
A microservice container uses this endpoint to get a token to call a backend API. 4. Security Considerations & Risks
This URL represents a critical security risk known as targeting Azure Instance Metadata Service (IMDS). What is this URL?