Webhook-url-http-3a-2f-2f169.254.169.254-2fmetadata-2fidentity-2foauth2-2ftoken -

When an attacker submits this encoded URL into an application's "Webhook URL" configuration field, they are attempting to execute an SSRF attack. The exploit unfolds in a sequence of specific architectural steps:

Understanding SSRF and Cloud Metadata Abuse: The Anatomy of a Malicious Webhook URL When an attacker submits this encoded URL into

If that request succeeds, the attacker receives an access token. Depending on the Managed Identity attached to your server, that token could grant them: # requests

# Dangerous: Do not do this. # requests.get(user_provided_webhook_url) When an attacker submits this encoded URL into

The attacker can use that token to impersonate your server and access your other Azure resources (like Databases or Key Vaults). How the Attack Works

If a web application takes user input to make an HTTP request (e.g., a "fetch URL" feature) and does not validate it, an attacker can input http://169.254.169 . The web server then makes a request to this endpoint on behalf of the attacker. 2. Token Theft

The attacker finds a user input field meant for a third-party integration webhook and pastes the payload.