Webhook-url-http-3a-2f-2f169.254.169.254-2fmetadata-2fidentity-2foauth2-2ftoken [patched] -

This URL is frequently targeted by attackers via . If an application allows users to provide a "Webhook URL" and doesn't validate it, an attacker can input this metadata URL to steal the VM's identity token. Potential Impact

Here is what the log entry is telling us: This URL is frequently targeted by attackers via

: Services like Azure and AWS now require specific custom headers (e.g., Metadata: true ) for these internal requests to prevent simple SSRF. Ensure your application does not allow users to set these headers. Ensure your application does not allow users to

This is the (RFC 3927) reserved for cloud metadata services. When an attacker sends you a webhook URL that looks like http://169.254.169.254/metadata/identity/oauth2/token , they aren't trying to send you a friendly notification. They are trying to trick your server into stealing its own cloud identity tokens. They are trying to trick your server into