← Back to Explore
elasticmediumTTP
Web Server Cloud Metadata SSRF Request
Detects HTTP requests to web servers whose URL or query string references cloud instance metadata endpoints or equivalent encoded variants. Attackers exploit server-side request forgery (SSRF) vulnerabilities in web applications to reach link-local metadata services on AWS, GCP, Azure, and similar cloud providers and harvest temporary credentials, tokens, or instance details.
Detection Query
web where (
url.original : (
"*169.254.169.254*", "*169%2e254%2e169%2e254*", "*0xa9fea9fe*", "*0xa9.0xfe.0xa9.0xfe*",
"*2852039166*", "*0251.0376.0251.0376*", "*::ffff:169.254.169.254*", "*::ffff:a9fe:a9fe*", "*fd00:ec2::254*",
"*100.100.100.200*", "*169.254.170.2*", "*metadata.google.internal*", "*metadata.goog*", "*computeMetadata/v1*",
"*meta-data/iam/security-credentials*", "*meta-data%2Fiam%2Fsecurity-credentials*",
"*latest/meta-data*", "*latest/api/token*"
)
or
url.query : (
"*169.254.169.254*", "*169%2e254%2e169%2e254*", "*0xa9fea9fe*", "*0xa9.0xfe.0xa9.0xfe*",
"*2852039166*", "*0251.0376.0251.0376*", "*::ffff:169.254.169.254*", "*::ffff:a9fe:a9fe*", "*fd00:ec2::254*",
"*100.100.100.200*", "*169.254.170.2*", "*metadata.google.internal*", "*metadata.goog*", "*computeMetadata/v1*",
"*meta-data/iam/security-credentials*", "*meta-data%2Fiam%2Fsecurity-credentials*",
"*latest/meta-data*", "*latest/api/token*"
)
)
Author
Elastic
Created
2026/07/02
Data Sources
NginxApacheApache TomcatIISTraefikZeeklogs-nginx.access-*logs-apache.access-*logs-apache_tomcat.access-*logs-iis.access-*logs-traefik.access-*logs-zeek.http-*
References
Tags
Domain: WebDomain: CloudDomain: NetworkUse Case: Threat DetectionTactic: Credential AccessTactic: Initial AccessData Source: NginxData Source: ApacheData Source: Apache TomcatData Source: IISData Source: TraefikData Source: ZeekResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/07/02"
integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik", "zeek"]
maturity = "production"
updated_date = "2026/07/02"
[rule]
author = ["Elastic"]
description = """
Detects HTTP requests to web servers whose URL or query string references cloud instance metadata endpoints or
equivalent encoded variants. Attackers exploit server-side request forgery (SSRF) vulnerabilities in web applications
to reach link-local metadata services on AWS, GCP, Azure, and similar cloud providers and harvest temporary
credentials, tokens, or instance details.
"""
from = "now-9m"
index = [
"logs-nginx.access-*",
"logs-apache.access-*",
"logs-apache_tomcat.access-*",
"logs-iis.access-*",
"logs-traefik.access-*",
"logs-zeek.http-*"
]
language = "eql"
license = "Elastic License v2"
name = "Web Server Cloud Metadata SSRF Request"
references = [
"https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/",
"https://owasp.org/www-community/attacks/Server_Side_Request_Forgery",
]
risk_score = 47
rule_id = "8670bf41-cb64-4d65-a0d6-78af17cf8f30"
severity = "medium"
tags = [
"Domain: Web",
"Domain: Cloud",
"Domain: Network",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Tactic: Initial Access",
"Data Source: Nginx",
"Data Source: Apache",
"Data Source: Apache Tomcat",
"Data Source: IIS",
"Data Source: Traefik",
"Data Source: Zeek",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
web where (
url.original : (
"*169.254.169.254*", "*169%2e254%2e169%2e254*", "*0xa9fea9fe*", "*0xa9.0xfe.0xa9.0xfe*",
"*2852039166*", "*0251.0376.0251.0376*", "*::ffff:169.254.169.254*", "*::ffff:a9fe:a9fe*", "*fd00:ec2::254*",
"*100.100.100.200*", "*169.254.170.2*", "*metadata.google.internal*", "*metadata.goog*", "*computeMetadata/v1*",
"*meta-data/iam/security-credentials*", "*meta-data%2Fiam%2Fsecurity-credentials*",
"*latest/meta-data*", "*latest/api/token*"
)
or
url.query : (
"*169.254.169.254*", "*169%2e254%2e169%2e254*", "*0xa9fea9fe*", "*0xa9.0xfe.0xa9.0xfe*",
"*2852039166*", "*0251.0376.0251.0376*", "*::ffff:169.254.169.254*", "*::ffff:a9fe:a9fe*", "*fd00:ec2::254*",
"*100.100.100.200*", "*169.254.170.2*", "*metadata.google.internal*", "*metadata.goog*", "*computeMetadata/v1*",
"*meta-data/iam/security-credentials*", "*meta-data%2Fiam%2Fsecurity-credentials*",
"*latest/meta-data*", "*latest/api/token*"
)
)
'''
note = """## Triage and analysis
### Investigating Web Server Cloud Metadata SSRF Request
This alert flags inbound HTTP requests to a web server whose `url.original` or `url.query` contains cloud instance
metadata addresses, hostnames, or credential paths. A common attacker pattern is exploiting an SSRF vulnerability so
the application fetches `http://169.254.169.254/latest/meta-data/iam/security-credentials/` or equivalent GCP and Azure
metadata routes, then reuses the returned role credentials against cloud APIs.
#### Possible investigation steps
- Review `url.original`, `url.query`, `http.request.method`, `http.response.status_code`, and `source.ip` to identify
the injected metadata target, affected route, and whether the server returned a successful response.
- URL-decode the request repeatedly and inspect parameters for nested encodings, redirect chains, or wrapper URLs that
hide the metadata destination.
- Map the targeted endpoint to the backend handler and determine whether user-controlled input can influence outbound
HTTP requests from the application.
- Correlate with application, proxy, and outbound network logs around `@timestamp` for connections from the web server
process to `169.254.169.254`, `100.100.100.200`, `metadata.google.internal`, or Azure metadata hosts.
- Check cloud audit, sign-in, or token-issuance telemetry for use of instance role or managed identity credentials
shortly after the request.
- Pivot on `source.ip` and `user_agent.original` for related SSRF, scanning, or exploitation attempts across other web
hosts.
### False positive analysis
- Security scanners, authorized penetration tests, or WAF validation may send metadata URLs in test payloads. Confirm the
activity aligns with an approved assessment window and source before closing as benign.
- Internal documentation, error pages, or security training content that echoes metadata URLs in query strings can
trigger the rule without an exploitable SSRF path. Verify the application does not perform outbound fetches based on
the matched input.
### Response and remediation
- Block the offending `source.ip` at the WAF or reverse proxy and add virtual patches to reject requests containing
metadata addresses or credential paths.
- If exploitation is confirmed, isolate the affected application host, preserve access logs, and rotate any cloud role
or managed identity credentials that may have been exposed.
- Patch or remediate the SSRF vulnerability by enforcing strict outbound allowlists, blocking link-local and metadata
destinations, and validating user-supplied URLs.
- Enforce IMDSv2, hop limits, and least-privilege instance roles to reduce impact if metadata access succeeds.
"""
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.005"
name = "Cloud Instance Metadata API"
reference = "https://attack.mitre.org/techniques/T1552/005/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"