Skip to main content
Room Banner
Back to all walkthroughs
Room Icon

The Leaky Metadata

Max room.

IMDSv1 turns any SSRF bug into credential theft. Find it, fix it, and build without it.

medium

45 min

1

User profile photo.
User profile photo.

To access material, start machines and answer questions login.

The Instance Metadata Service is one of the most useful and most dangerous convenience features in . It provides local access to metadata and temporary credentials for any workload running on an instance. When HttpTokens is set to optional, any process that can send a plain HTTP GET to 169.254.169.254 can retrieve those credentials, including requests forwarded by a misconfigured proxy or a vulnerable application running on the same host.

That is how a server-side request forgery becomes IAM credential theft. IMDSv2 raises the bar by requiring a PUT-based token exchange before any credential retrieval. That one design change breaks the most common SSRF-to-metadata attack path entirely.

Learning Objectives

By the end of this room, you will be able to:

  • Understand the difference between IMDSv1 and IMDSv2 and why it matters
  • Identify EC2 instances where HttpTokens is still set to optional
  • Demonstrate the unauthenticated credential retrieval path that IMDSv1 allows
  • Enforce IMDSv2 on an existing instance and verify that the old flow no longer works
  • Launch a new instance that requires IMDSv2 from the start

Prerequisites

Answer the questions below

You only need to redirect one request. The rest follows.