Use similar, slightly different IP addresses (e.g., 169.254.169.254 for AWS).
When a webhook or a web application is tricked into querying this URL, it attempts to fetch the identity token of the machine hosting the web service. The Security Risk: Why This URL is Dangerous
Thus, the encoded string is an attempt to make a webhook URL point to a —a classic sign of a Server-Side Request Forgery (SSRF) attack aiming to steal temporary credentials. Use similar, slightly different IP addresses (e
If the instance has a managed identity enabled, the metadata endpoint responds with a JSON object containing an access_token . For Azure, the request would also require the header Metadata: true and often a query parameter like api-version=2018-02-01 or resource=https://vault.azure.net . However, many SSRF attacks bypass these requirements by crafting the URL appropriately (e.g., ?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F ).
The substring http-3A-2F-2F is not standard percent-encoding (which uses % ). Instead, this appears to be a manual or log-friendly encoding where: If the instance has a managed identity enabled,
GET /metadata/identity/oauth2/token?api-version=2018-02-01&resource= https://management.azure.com/ HTTP/1.1 Host: 169.254.169.254 Metadata: true
Server-Side Request Forgery occurs when an attacker forces a server-side application to make HTTP requests to an arbitrary domain or IP chosen by the attacker. How Webhooks Become Vulnerable slightly different IP addresses (e.g.
Configure local firewall rules (like iptables on Linux) or Azure Security Groups on the hosting instance to restrict which local system users or processes are permitted to initiate outbound requests to 169.254.169.254 . For instance, only the specific service account running the necessary application logic should access the metadata IP. 4. Apply the Principle of Least Privilege