Curl-url-http-3a-2f-2f169.254.169.254-2flatest-2fapi-2ftoken Jun 2026

Attackers routinely scan web applications for SSRF vulnerabilities. If an application accepts a URL input from a user, an attacker will input variants of http://169.254.169 to see if the backend server attempts to connect to its own metadata service.

curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"

curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169 Use code with caution. Copied to clipboard

Once an attacker has command execution on a VM (via a vulnerability like Log4Shell), they run:

: You include that token in the header of all subsequent metadata requests. Breaking Down the Command curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken

. Because the metadata service didn't ask for a "password," a hacker could trick an app into revealing the instance's secret IAM credentials

Simplest and safest – no token caching:

This command is not merely a GET request; it is a PUT request that creates a session token.

In a real-world script, this URL is only the first half of the puzzle. You use the token generated by that URL to actually get your data. Here is the complete script "piece": # Step 1: Get the token (Your URL) TOKEN=$(curl -X PUT "http://169.254.169" \ -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" # Step 2: Use the token to get metadata (The Result) "X-aws-ec2-metadata-token: $TOKEN" Copied to clipboard Once an attacker has command

package main

TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region

func getToken() string { req, _ := http.NewRequest("PUT", "http://169.254.169.254/latest/api/token", nil) req.Header.Set("X-aws-ec2-metadata-token-ttl-seconds", "21600") client := &http.Client{} resp, _ := client.Do(req) defer resp.Body.Close() body, _ := ioutil.ReadAll(resp.Body) return string(body) }

TOKEN=$(curl -X PUT "http://169.254.169" \ -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") Use code with caution. Copied to clipboard In a real-world script, this URL is only

However, the simplified command in your keyword: curl http://169.254.169.254/latest/api/token — , not the credentials themselves. Still, in a real attack, once the attacker has this token, they can use it to fetch IAM credentials.

: You must first perform a PUT request to /latest/api/token to generate a temporary session token.

This command is the gateway to securing Amazon Web Services (AWS) EC2 instances using the Instance Metadata Service Version 2 (IMDSv2). It allows an application or administrator to request a session token, which acts as a protective layer against Server-Side Request Forgery (SSRF) vulnerabilities. What is 169.254.169.254?