Webhook-url-http-3a-2f-2f169.254.169.254-2fmetadata-2fidentity-2foauth2-2ftoken Exclusive
| Permission Level | Potential Actions | |-----------------|-------------------| | Reader on a single storage account | Read all blobs, files, tables – data exfiltration | | Contributor on a resource group | Deploy malicious VMs, modify configurations, delete resources | | Key Vault User | Read secrets, certificates, encryption keys | | Virtual Machine Contributor | Start/stop VMs, create snapshots, install extensions | | Global Administrator (rare, but possible if identity is assigned to privileged roles) | Full takeover of Azure AD tenant |
asks the Azure fabric for a token representing the server's identity. If successful, the server receives a JSON Web Token (JWT) Token Exfiltration
: The vulnerable application server processes the request. Because the request originates inside the server, the server queries its own local link-local IP ( 169.254.169.254 ). Those tokens can be used to access other
Those tokens can be used to access other cloud resources like databases, storage buckets (S3/Blob), or Key Vaults.
The full URL broken down:
That ugly string in your logs— webhook-url-http-3A-2F-2F169.254.169.254 —is not a configuration error. It is a .
What are webhooks: How they work and how to set them up - GetVero What are webhooks: How they work and how
Summary. A Server-Side Request Forgery (SSRF) vulnerability in the Typebot webhook block (HTTP Request component) functionality al... Webhook security: a hands-on guide - PlanetScale
The input string is URL-encoded. Decoding the hexadecimal sequences reveals the actual target: storage buckets (S3/Blob)
The IP address 169.254.169.254 is a non-routable link-local address reserved by major cloud service providers. It hosts the . This server is only accessible from inside the running instance or virtual machine itself. It contains vital data about the environment, network configurations, and assigned identity permissions. 3. The Target Endpoint ( /metadata/identity/oauth2/token )