Web Server Cloud Metadata SSRF Request

Detects HTTP requests to web servers whose URL or query string references cloud instance metadata endpoints or equivalent encoded variants. Attackers exploit server-side request forgery (SSRF) vulnerabilities in web applications to reach link-local metadata services on AWS, GCP, Azure, and similar cloud providers and harvest temporary credentials, tokens, or instance details.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/07/02"
  3integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik", "zeek"]
  4maturity = "production"
  5updated_date = "2026/07/02"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects HTTP requests to web servers whose URL or query string references cloud instance metadata endpoints or
 11equivalent encoded variants. Attackers exploit server-side request forgery (SSRF) vulnerabilities in web applications
 12to reach link-local metadata services on AWS, GCP, Azure, and similar cloud providers and harvest temporary
 13credentials, tokens, or instance details.
 14"""
 15from = "now-9m"
 16index = [
 17    "logs-nginx.access-*",
 18    "logs-apache.access-*",
 19    "logs-apache_tomcat.access-*",
 20    "logs-iis.access-*",
 21    "logs-traefik.access-*",
 22    "logs-zeek.http-*"
 23]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "Web Server Cloud Metadata SSRF Request"
 27references = [
 28    "https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/",
 29    "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery",
 30]
 31risk_score = 47
 32rule_id = "8670bf41-cb64-4d65-a0d6-78af17cf8f30"
 33severity = "medium"
 34tags = [
 35    "Domain: Web",
 36    "Domain: Cloud",
 37    "Domain: Network",
 38    "Use Case: Threat Detection",
 39    "Tactic: Credential Access",
 40    "Tactic: Initial Access",
 41    "Data Source: Nginx",
 42    "Data Source: Apache",
 43    "Data Source: Apache Tomcat",
 44    "Data Source: IIS",
 45    "Data Source: Traefik",
 46    "Data Source: Zeek",
 47    "Resources: Investigation Guide",
 48]
 49timestamp_override = "event.ingested"
 50type = "eql"
 51
 52query = '''
 53web where (
 54  url.original : (
 55    "*169.254.169.254*", "*169%2e254%2e169%2e254*", "*0xa9fea9fe*", "*0xa9.0xfe.0xa9.0xfe*", 
 56    "*2852039166*", "*0251.0376.0251.0376*", "*::ffff:169.254.169.254*", "*::ffff:a9fe:a9fe*", "*fd00:ec2::254*",
 57    "*100.100.100.200*", "*169.254.170.2*", "*metadata.google.internal*", "*metadata.goog*", "*computeMetadata/v1*",
 58    "*meta-data/iam/security-credentials*", "*meta-data%2Fiam%2Fsecurity-credentials*",
 59    "*latest/meta-data*", "*latest/api/token*"
 60  )
 61  or
 62  url.query : (
 63    "*169.254.169.254*", "*169%2e254%2e169%2e254*", "*0xa9fea9fe*", "*0xa9.0xfe.0xa9.0xfe*", 
 64    "*2852039166*", "*0251.0376.0251.0376*", "*::ffff:169.254.169.254*", "*::ffff:a9fe:a9fe*", "*fd00:ec2::254*",
 65    "*100.100.100.200*", "*169.254.170.2*", "*metadata.google.internal*", "*metadata.goog*", "*computeMetadata/v1*",
 66    "*meta-data/iam/security-credentials*", "*meta-data%2Fiam%2Fsecurity-credentials*",
 67    "*latest/meta-data*", "*latest/api/token*"
 68  )
 69)
 70'''
 71
 72note = """## Triage and analysis
 73
 74### Investigating Web Server Cloud Metadata SSRF Request
 75
 76This alert flags inbound HTTP requests to a web server whose `url.original` or `url.query` contains cloud instance
 77metadata addresses, hostnames, or credential paths. A common attacker pattern is exploiting an SSRF vulnerability so
 78the application fetches `http://169.254.169.254/latest/meta-data/iam/security-credentials/` or equivalent GCP and Azure
 79metadata routes, then reuses the returned role credentials against cloud APIs.
 80
 81#### Possible investigation steps
 82
 83- Review `url.original`, `url.query`, `http.request.method`, `http.response.status_code`, and `source.ip` to identify
 84  the injected metadata target, affected route, and whether the server returned a successful response.
 85- URL-decode the request repeatedly and inspect parameters for nested encodings, redirect chains, or wrapper URLs that
 86  hide the metadata destination.
 87- Map the targeted endpoint to the backend handler and determine whether user-controlled input can influence outbound
 88  HTTP requests from the application.
 89- Correlate with application, proxy, and outbound network logs around `@timestamp` for connections from the web server
 90  process to `169.254.169.254`, `100.100.100.200`, `metadata.google.internal`, or Azure metadata hosts.
 91- Check cloud audit, sign-in, or token-issuance telemetry for use of instance role or managed identity credentials
 92  shortly after the request.
 93- Pivot on `source.ip` and `user_agent.original` for related SSRF, scanning, or exploitation attempts across other web
 94  hosts.
 95
 96### False positive analysis
 97
 98- Security scanners, authorized penetration tests, or WAF validation may send metadata URLs in test payloads. Confirm the
 99  activity aligns with an approved assessment window and source before closing as benign.
100- Internal documentation, error pages, or security training content that echoes metadata URLs in query strings can
101  trigger the rule without an exploitable SSRF path. Verify the application does not perform outbound fetches based on
102  the matched input.
103
104### Response and remediation
105
106- Block the offending `source.ip` at the WAF or reverse proxy and add virtual patches to reject requests containing
107  metadata addresses or credential paths.
108- If exploitation is confirmed, isolate the affected application host, preserve access logs, and rotate any cloud role
109  or managed identity credentials that may have been exposed.
110- Patch or remediate the SSRF vulnerability by enforcing strict outbound allowlists, blocking link-local and metadata
111  destinations, and validating user-supplied URLs.
112- Enforce IMDSv2, hop limits, and least-privilege instance roles to reduce impact if metadata access succeeds.
113"""
114
115[[rule.threat]]
116framework = "MITRE ATT&CK"
117
118[[rule.threat.technique]]
119id = "T1552"
120name = "Unsecured Credentials"
121reference = "https://attack.mitre.org/techniques/T1552/"
122
123[[rule.threat.technique.subtechnique]]
124id = "T1552.005"
125name = "Cloud Instance Metadata API"
126reference = "https://attack.mitre.org/techniques/T1552/005/"
127
128[rule.threat.tactic]
129id = "TA0006"
130name = "Credential Access"
131reference = "https://attack.mitre.org/tactics/TA0006/"
132
133[[rule.threat]]
134framework = "MITRE ATT&CK"
135
136[[rule.threat.technique]]
137id = "T1190"
138name = "Exploit Public-Facing Application"
139reference = "https://attack.mitre.org/techniques/T1190/"
140
141[rule.threat.tactic]
142id = "TA0001"
143name = "Initial Access"
144reference = "https://attack.mitre.org/tactics/TA0001/"

Triage and analysis

Investigating Web Server Cloud Metadata SSRF Request

This alert flags inbound HTTP requests to a web server whose url.original or url.query contains cloud instance metadata addresses, hostnames, or credential paths. A common attacker pattern is exploiting an SSRF vulnerability so the application fetches http://169.254.169.254/latest/meta-data/iam/security-credentials/ or equivalent GCP and Azure metadata routes, then reuses the returned role credentials against cloud APIs.

Possible investigation steps

  • Review url.original, url.query, http.request.method, http.response.status_code, and source.ip to identify the injected metadata target, affected route, and whether the server returned a successful response.
  • URL-decode the request repeatedly and inspect parameters for nested encodings, redirect chains, or wrapper URLs that hide the metadata destination.
  • Map the targeted endpoint to the backend handler and determine whether user-controlled input can influence outbound HTTP requests from the application.
  • Correlate with application, proxy, and outbound network logs around @timestamp for connections from the web server process to 169.254.169.254, 100.100.100.200, metadata.google.internal, or Azure metadata hosts.
  • Check cloud audit, sign-in, or token-issuance telemetry for use of instance role or managed identity credentials shortly after the request.
  • Pivot on source.ip and user_agent.original for related SSRF, scanning, or exploitation attempts across other web hosts.

False positive analysis

  • Security scanners, authorized penetration tests, or WAF validation may send metadata URLs in test payloads. Confirm the activity aligns with an approved assessment window and source before closing as benign.
  • Internal documentation, error pages, or security training content that echoes metadata URLs in query strings can trigger the rule without an exploitable SSRF path. Verify the application does not perform outbound fetches based on the matched input.

Response and remediation

  • Block the offending source.ip at the WAF or reverse proxy and add virtual patches to reject requests containing metadata addresses or credential paths.
  • If exploitation is confirmed, isolate the affected application host, preserve access logs, and rotate any cloud role or managed identity credentials that may have been exposed.
  • Patch or remediate the SSRF vulnerability by enforcing strict outbound allowlists, blocking link-local and metadata destinations, and validating user-supplied URLs.
  • Enforce IMDSv2, hop limits, and least-privilege instance roles to reduce impact if metadata access succeeds.

References

Related rules

to-top