OWASP ZAP – Cloud Metadata Potentially Exposed

Details
Alert Id	90034
Alert Type	Active
Status	release
Risk	High
CWE
WASC
Technologies Targeted	All
Tags	OWASP_2017_A06 OWASP_2021_A05

Summary

The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure. All of these providers provide metadata via an internal unroutable IP address ‘169.254.169.254’ - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field.

Solution

Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker.

References

https://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/

Code

org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRule.java