Webhook-url-http-3a-2f-2f169.254.169.254-2fmetadata-2fidentity-2foauth2-2ftoken Hot! -
If the application does not validate the URL or restrict outbound requests, the attacker supplies the encoded string webhook-url-http-3A-2F-2F169.254.169.254-2Fmetadata-2Fidentity-2Foauth2-2Ftoken . In many cases, the application decodes it automatically (e.g., when parsing query parameters) or the attacker sends it as a raw URL.
"event": "user.signup", "webhook": "https://myservice.com/callback" If the application does not validate the URL
def is_safe_webhook_url(user_input): decoded = unquote(user_input) parsed = urlparse(decoded) if parsed.scheme not in ('http', 'https'): return False # Resolve hostname to IP import socket try: ip = socket.gethostbyname(parsed.hostname) except: return False # Reject private, link-local, loopback private = ipaddress.ip_network('10.0.0.0/8') link_local = ipaddress.ip_network('169.254.0.0/16') loopback = ipaddress.ip_network('127.0.0.0/8') ip_obj = ipaddress.ip_address(ip) if ip_obj in private or ip_obj in link_local or ip_obj in loopback: return False # Additional: allowlist check allowed = ['api.yourservice.com'] if parsed.hostname not in allowed: return False return True That IP is blocked by the internet
Attackers cannot directly talk to 169.254.169.254 from their laptop. That IP is blocked by the internet. But if your application has a vulnerability, attackers can trick your server into making the request for them. the application decodes it automatically (e.g.
If the application does not validate the URL or restrict outbound requests, the attacker supplies the encoded string webhook-url-http-3A-2F-2F169.254.169.254-2Fmetadata-2Fidentity-2Foauth2-2Ftoken . In many cases, the application decodes it automatically (e.g., when parsing query parameters) or the attacker sends it as a raw URL.
"event": "user.signup", "webhook": "https://myservice.com/callback"
def is_safe_webhook_url(user_input): decoded = unquote(user_input) parsed = urlparse(decoded) if parsed.scheme not in ('http', 'https'): return False # Resolve hostname to IP import socket try: ip = socket.gethostbyname(parsed.hostname) except: return False # Reject private, link-local, loopback private = ipaddress.ip_network('10.0.0.0/8') link_local = ipaddress.ip_network('169.254.0.0/16') loopback = ipaddress.ip_network('127.0.0.0/8') ip_obj = ipaddress.ip_address(ip) if ip_obj in private or ip_obj in link_local or ip_obj in loopback: return False # Additional: allowlist check allowed = ['api.yourservice.com'] if parsed.hostname not in allowed: return False return True
Attackers cannot directly talk to 169.254.169.254 from their laptop. That IP is blocked by the internet. But if your application has a vulnerability, attackers can trick your server into making the request for them.
