: The attacker submits the IMDS URL as a webhook.
A is a way for an application to provide other applications with real-time information. When you see a "Webhook URL" field in a web application, the app is essentially saying, "Give me a URL, and I will send data to it." : The attacker submits the IMDS URL as a webhook
If you see this URL appearing in your logs or as a suggested input, take the following steps: Use an allowlist for domains or block the 169
: Never allow webhooks to point to internal or link-local IP ranges. Use an allowlist for domains or block the 169.254.0.0/16 range entirely. When code runs on a cloud virtual machine,
The specific path in the keyword— /metadata/identity/oauth2/token —is the Azure-specific endpoint for fetching managed identity tokens. : The IMDS "magic" IP.
When code runs on a cloud virtual machine, it can "talk" to this IP to get information about itself without needing external credentials. It is a feature designed for convenience, allowing the VM to discover its own role, region, and—most importantly—its . Anatomy of the URL
: The server, thinking it’s sending a notification to an external service, instead sends a GET request to the local metadata endpoint.