Webhook-url-http-3a-2f-2f169.254.169.254-2fmetadata-2fidentity-2foauth2-2ftoken ((hot)) Jun 2026

If a user is able to provide this URL to a "Webhook" or "URL Fetcher" feature, it allows them to perform an . This can lead to:

Attackers can force the app to retrieve tokens for them. SSRF to Managed Identity Attack. This is one of the most common cloud-nat... Swapnil Sonawane Exploiting Azure Misconfiguration: A Step-by-Step - Medium If a user is able to provide this

GET /metadata/identity/oauth2/token?api-version=2018-02-01&resource= https://management.azure.com/ HTTP/1.1 Host: 169.254.169.254 Metadata: true If a user is able to provide this

To successfully call this endpoint, you must include the HTTP header Metadata: true . Example Request: curl 'http://169.254.169' -H "Metadata:true" Use code with caution. Copied to clipboard 🛡️ Security Risk: SSRF Vulnerability If a user is able to provide this

: Use a webhook secret to verify that the outgoing request is legitimate.