WIZ Bug Bounty Master Class: SSRF Vulnerability on Major Gaming Company

jareddouville.medium.com · Jared Douville · 16 days ago · tutorial
quality 9/10 · excellent
0 net
Tags
bug-bounty ssrf
WIZ Bug Bounty Master Class: SSRF Vulnerability on Major Gaming Company | by Jared Douville - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original WIZ Bug Bounty Master Class: SSRF Vulnerability on Major Gaming Company URL: https://content-service.bugbountymasterclass.com Jared Douville Follow ~2 min read · March 27, 2026 (Updated: March 27, 2026) · Free: Yes AWS Metadata Hack exploits a Server-Side Request Forgery (SSRF) vulnerability to trick an EC2 instance into revealing temporary IAM credentials via the local metadata service at 169.254.169.254. This allows attackers to assume the instance's identity, potentially accessing sensitive data and moving laterally within the AWS environment. For more information, visit Hacking The Cloud. Reconnaissance & Discovery The application features a "Content Fetcher" service designed to retrieve images or text from external URLs. While testing the url parameter, I noticed the server was performing outbound requests without strict validation of the destination. Instead of pointing it at a legitimate image, I tested if I could force the server to talk to its own internal interface. The Exploitation Path In cloud environments (AWS, GCP, Azure), there is a metadata service reachable at a non-routable IP address: 169.254.169.254 . This service contains sensitive information about the instance, including IAM Role Credentials . The Initial Probe: I submitted a request to the Metadata endpoint: [http://169.254.169.254/latest/meta-data/](http://169.254.169.254/latest/meta-data/) The "Aha!" Moment: The server responded with a directory listing of internal metadata. This confirmed that the application was vulnerable to Blind SSRF , allowing me to pivot into the internal network. 3. Extracting the Flag (The Payload) https://content-service.bugbountymasterclass.com/api/content/v2/module/1/version/1/staged-files/test/http://169.254.169.254/latest/meta-data/iam/security-credentials/content-service-role Takeaways : Utilizing tools like Active scanner can be very useful and be used in your workflow. (Thanks to the team behind active scan !) Links: Access instance metadata for an EC2 instance ActiveScan++ Join My Slack Server to Collab & learn bug bounty together! Slack We are no longer supporting this browser, so you'll need to switch to one of our supported browsers to keep using… slack.com #bug-bounty #web-app-security #hackerone #ssrf Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories