Web Server Cloud Metadata SSRF Request
Detects HTTP requests to web servers whose URL or query string references cloud instance metadata endpoints or equivalent encoded variants. Attackers exploit server-side request forgery (SSRF) vulnerabilities in web applications to reach link-local metadata services on AWS, GCP, Azure, and similar cloud providers and harvest temporary credentials, tokens, or instance details.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/07/02"
3integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik", "zeek"]
4maturity = "production"
5updated_date = "2026/07/02"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects HTTP requests to web servers whose URL or query string references cloud instance metadata endpoints or
11equivalent encoded variants. Attackers exploit server-side request forgery (SSRF) vulnerabilities in web applications
12to reach link-local metadata services on AWS, GCP, Azure, and similar cloud providers and harvest temporary
13credentials, tokens, or instance details.
14"""
15from = "now-9m"
16index = [
17 "logs-nginx.access-*",
18 "logs-apache.access-*",
19 "logs-apache_tomcat.access-*",
20 "logs-iis.access-*",
21 "logs-traefik.access-*",
22 "logs-zeek.http-*"
23]
24language = "eql"
25license = "Elastic License v2"
26name = "Web Server Cloud Metadata SSRF Request"
27references = [
28 "https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/",
29 "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery",
30]
31risk_score = 47
32rule_id = "8670bf41-cb64-4d65-a0d6-78af17cf8f30"
33severity = "medium"
34tags = [
35 "Domain: Web",
36 "Domain: Cloud",
37 "Domain: Network",
38 "Use Case: Threat Detection",
39 "Tactic: Credential Access",
40 "Tactic: Initial Access",
41 "Data Source: Nginx",
42 "Data Source: Apache",
43 "Data Source: Apache Tomcat",
44 "Data Source: IIS",
45 "Data Source: Traefik",
46 "Data Source: Zeek",
47 "Resources: Investigation Guide",
48]
49timestamp_override = "event.ingested"
50type = "eql"
51
52query = '''
53web where (
54 url.original : (
55 "*169.254.169.254*", "*169%2e254%2e169%2e254*", "*0xa9fea9fe*", "*0xa9.0xfe.0xa9.0xfe*",
56 "*2852039166*", "*0251.0376.0251.0376*", "*::ffff:169.254.169.254*", "*::ffff:a9fe:a9fe*", "*fd00:ec2::254*",
57 "*100.100.100.200*", "*169.254.170.2*", "*metadata.google.internal*", "*metadata.goog*", "*computeMetadata/v1*",
58 "*meta-data/iam/security-credentials*", "*meta-data%2Fiam%2Fsecurity-credentials*",
59 "*latest/meta-data*", "*latest/api/token*"
60 )
61 or
62 url.query : (
63 "*169.254.169.254*", "*169%2e254%2e169%2e254*", "*0xa9fea9fe*", "*0xa9.0xfe.0xa9.0xfe*",
64 "*2852039166*", "*0251.0376.0251.0376*", "*::ffff:169.254.169.254*", "*::ffff:a9fe:a9fe*", "*fd00:ec2::254*",
65 "*100.100.100.200*", "*169.254.170.2*", "*metadata.google.internal*", "*metadata.goog*", "*computeMetadata/v1*",
66 "*meta-data/iam/security-credentials*", "*meta-data%2Fiam%2Fsecurity-credentials*",
67 "*latest/meta-data*", "*latest/api/token*"
68 )
69)
70'''
71
72note = """## Triage and analysis
73
74### Investigating Web Server Cloud Metadata SSRF Request
75
76This alert flags inbound HTTP requests to a web server whose `url.original` or `url.query` contains cloud instance
77metadata addresses, hostnames, or credential paths. A common attacker pattern is exploiting an SSRF vulnerability so
78the application fetches `http://169.254.169.254/latest/meta-data/iam/security-credentials/` or equivalent GCP and Azure
79metadata routes, then reuses the returned role credentials against cloud APIs.
80
81#### Possible investigation steps
82
83- Review `url.original`, `url.query`, `http.request.method`, `http.response.status_code`, and `source.ip` to identify
84 the injected metadata target, affected route, and whether the server returned a successful response.
85- URL-decode the request repeatedly and inspect parameters for nested encodings, redirect chains, or wrapper URLs that
86 hide the metadata destination.
87- Map the targeted endpoint to the backend handler and determine whether user-controlled input can influence outbound
88 HTTP requests from the application.
89- Correlate with application, proxy, and outbound network logs around `@timestamp` for connections from the web server
90 process to `169.254.169.254`, `100.100.100.200`, `metadata.google.internal`, or Azure metadata hosts.
91- Check cloud audit, sign-in, or token-issuance telemetry for use of instance role or managed identity credentials
92 shortly after the request.
93- Pivot on `source.ip` and `user_agent.original` for related SSRF, scanning, or exploitation attempts across other web
94 hosts.
95
96### False positive analysis
97
98- Security scanners, authorized penetration tests, or WAF validation may send metadata URLs in test payloads. Confirm the
99 activity aligns with an approved assessment window and source before closing as benign.
100- Internal documentation, error pages, or security training content that echoes metadata URLs in query strings can
101 trigger the rule without an exploitable SSRF path. Verify the application does not perform outbound fetches based on
102 the matched input.
103
104### Response and remediation
105
106- Block the offending `source.ip` at the WAF or reverse proxy and add virtual patches to reject requests containing
107 metadata addresses or credential paths.
108- If exploitation is confirmed, isolate the affected application host, preserve access logs, and rotate any cloud role
109 or managed identity credentials that may have been exposed.
110- Patch or remediate the SSRF vulnerability by enforcing strict outbound allowlists, blocking link-local and metadata
111 destinations, and validating user-supplied URLs.
112- Enforce IMDSv2, hop limits, and least-privilege instance roles to reduce impact if metadata access succeeds.
113"""
114
115[[rule.threat]]
116framework = "MITRE ATT&CK"
117
118[[rule.threat.technique]]
119id = "T1552"
120name = "Unsecured Credentials"
121reference = "https://attack.mitre.org/techniques/T1552/"
122
123[[rule.threat.technique.subtechnique]]
124id = "T1552.005"
125name = "Cloud Instance Metadata API"
126reference = "https://attack.mitre.org/techniques/T1552/005/"
127
128[rule.threat.tactic]
129id = "TA0006"
130name = "Credential Access"
131reference = "https://attack.mitre.org/tactics/TA0006/"
132
133[[rule.threat]]
134framework = "MITRE ATT&CK"
135
136[[rule.threat.technique]]
137id = "T1190"
138name = "Exploit Public-Facing Application"
139reference = "https://attack.mitre.org/techniques/T1190/"
140
141[rule.threat.tactic]
142id = "TA0001"
143name = "Initial Access"
144reference = "https://attack.mitre.org/tactics/TA0001/"
Triage and analysis
Investigating Web Server Cloud Metadata SSRF Request
This alert flags inbound HTTP requests to a web server whose url.original or url.query contains cloud instance
metadata addresses, hostnames, or credential paths. A common attacker pattern is exploiting an SSRF vulnerability so
the application fetches http://169.254.169.254/latest/meta-data/iam/security-credentials/ or equivalent GCP and Azure
metadata routes, then reuses the returned role credentials against cloud APIs.
Possible investigation steps
- Review
url.original,url.query,http.request.method,http.response.status_code, andsource.ipto identify the injected metadata target, affected route, and whether the server returned a successful response. - URL-decode the request repeatedly and inspect parameters for nested encodings, redirect chains, or wrapper URLs that hide the metadata destination.
- Map the targeted endpoint to the backend handler and determine whether user-controlled input can influence outbound HTTP requests from the application.
- Correlate with application, proxy, and outbound network logs around
@timestampfor connections from the web server process to169.254.169.254,100.100.100.200,metadata.google.internal, or Azure metadata hosts. - Check cloud audit, sign-in, or token-issuance telemetry for use of instance role or managed identity credentials shortly after the request.
- Pivot on
source.ipanduser_agent.originalfor related SSRF, scanning, or exploitation attempts across other web hosts.
False positive analysis
- Security scanners, authorized penetration tests, or WAF validation may send metadata URLs in test payloads. Confirm the activity aligns with an approved assessment window and source before closing as benign.
- Internal documentation, error pages, or security training content that echoes metadata URLs in query strings can trigger the rule without an exploitable SSRF path. Verify the application does not perform outbound fetches based on the matched input.
Response and remediation
- Block the offending
source.ipat the WAF or reverse proxy and add virtual patches to reject requests containing metadata addresses or credential paths. - If exploitation is confirmed, isolate the affected application host, preserve access logs, and rotate any cloud role or managed identity credentials that may have been exposed.
- Patch or remediate the SSRF vulnerability by enforcing strict outbound allowlists, blocking link-local and metadata destinations, and validating user-supplied URLs.
- Enforce IMDSv2, hop limits, and least-privilege instance roles to reduce impact if metadata access succeeds.
References
Related rules
- Web Server Potential SQL Injection Request
- Web Server Potential Command Injection Request
- Web Server Suspicious User Agent Requests
- Web Server Discovery or Fuzzing Activity
- Web Server Local File Inclusion Activity