eang.it

Fetch-url-http-3a-2f-2fmetadata.google.internal-2fcomputemetadata-2fv1-2finstance-2fservice Accounts-2f 📥

curl -H "Metadata-Flavor: Google" \ "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email"

Suddenly, the innocent request transformed back into the forbidden address: http://metadata.google.internal...

Web applications often implement features that pull data from external links—such as fetching profile pictures, generating PDF reports from templates, or parsing RSS feeds. If the input parameter (like fetch-url or url ) is poorly sanitized, an attacker can swap a valid external URL with an internal cloud network endpoint. 2. The Internal Host ( metadata.google.internal )

: By accessing the specified URL, your application running on a Compute Engine instance can fetch the service account credentials (OAuth 2.0 tokens) without needing to know or store any secrets. This approach helps in securing your service accounts by not having to distribute JSON keys around. curl -H "Metadata-Flavor: Google" \ "http://metadata

When decoded, the path translates to http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/ . This represents the internal directory mapping the core IAM roles tied to a virtual machine (VM), serverless app, or container instance. Anatomy of the Targeted Endpoint

The server, a diligent but naive worker, received the command: "Fetch this URL for me." It saw the prefix fetch-url- and obediently parsed the rest. It didn't recognize the local network it lived in; it only saw the instruction to go to http://metadata.google.internal .

package main

Zero wasn't looking for a brute-force entry; they were looking for logic flaws. They found the update_inventory.py script exposed via a misconfigured API endpoint. They realized the script would fetch any URL they gave it and return the result.

When working with service accounts and metadata, it's essential to consider security implications:

The flow usually looks like this:

The Google Compute Engine metadata service is a RESTful API that provides a simple way for instances to access metadata. Here's a high-level overview of how it works:

Seeing fetch-url-http-...metadata.google.internal... is a sign that your application is correctly trying to leverage the native Google Cloud identity system. It allows your code to run securely without hardcoding passwords or keys inside your application code.