Webhook-url-http-3a-2f-2f169.254.169.254-2fmetadata-2fidentity-2foauth2-2ftoken [2021] -

webhook-url-http://169.254.169.254/metadata/identity/oauth2/token 1. URL Encoding Over Wires ( -3A-2F-2F and -2F )

Security teams can look for:

"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs...", "expires_in": "86399", "token_type": "Bearer"

In Azure, this endpoint is used by Managed Identities for Azure resources to request OAuth2 access tokens, enabling the VM to authenticate to other Azure services (like Key Vault or Storage) without embedding credentials in code. Deciphering the Webhook URL The URL http://169.254.169 is specifically designed for: Identity: Requesting a managed identity token. OAuth2: Using the OAuth 2.0 protocol. Token: Fetching an access token.

When a webhook or a web application is tricked into querying this URL, it attempts to fetch the identity token of the machine hosting the web service. The Security Risk: Why This URL is Dangerous webhook-url-http://169

"event": "user.signup", "webhook": "https://myservice.com/callback"

If you are seeing this URL in a "webhook" context, it usually indicates one of two things: a legitimate integration for cloud identity or a vulnerability being tested. 🛠️ Legitimate Use Cases

The attacker finds a feature that accepts a URL and later fetches it from the server side. Common examples:

The URL in question is a webhook endpoint that seems to be designed to retrieve an OAuth2 token from the Azure Instance Metadata Service. Here's a breakdown of the URL: OAuth2: Using the OAuth 2

If you are on Azure, ensure your metadata service requires the Metadata: true header and the X-Identity-Header . However, never rely on this as your only defense —the attacker can still forge headers.

As cloud adoption grows, metadata service endpoints become prime targets. A single unvalidated webhook URL can lead to full cloud account compromise, data breaches, and cryptojacking.

The IP address 169.254.169.254 is a non-routable link-local address used by major cloud providers like , AWS , and GCP to host their Instance Metadata Service (IMDS) .

: System parameters or automated security scanners replace standard characters like : and / with hex values to cleanly bypass basic text string filters on input fields. The Security Vulnerability: Webhook SSRF The Security Risk: Why This URL is Dangerous

Here’s an example response (simplified):

169\.254\.169\.254(-\d2[A-F0-9])*

http://169.254.169.254/metadata/identity/oauth2/token