KKeensafeBreach & Attack Sim
← All scenarios

bas-003 — SSRF → cloud metadata simulation

high · risk 80 · API

GET /api/v1/fetch?url= follows arbitrary URLs, including the AWS instance metadata service simulation host.

MITRE & OWASP

T1590 Gather Victim Network InformationT1538 Cloud Service Dashboard API7:2023 Server Side Request Forgery

Preconditions

  • api.keensafeglobalbank.com reachable

Attack path

  1. attacker — GET /api/v1/fetch?url=http://169.254.169.254/latest/meta-data/
  2. app — Returns metadata-style response (lab simulation)
  3. attacker — Use returned IAM role + STS to pivot

Run

Running emits evidence JSON; no real exploitation runs.

View latest evidence 
(no output yet — click Simulate)

Remediation

Allowlist outbound URLs; deny RFC1918 + 169.254/16; tag IMDSv2-only.