Leo’s server receives the webhook request. It doesn't see a "bad" website; it sees an internal command.
Don't be that developer. Block 169.254.169.254 today. Leo’s server receives the webhook request
/metadata/identity/oauth2/token This specific endpoint is used to request access tokens for Azure resources. If accessed with the correct headers (specifically Metadata: true ), Azure returns a JSON response containing an access_token . An attacker who retrieves this token can use it to authenticate to Azure services (like Key Vault, Storage, or SQL) as that virtual machine. Block 169
The /metadata/identity/oauth2/token path specifically handles identity: What is this IP address: 169.254.169.254? - Server Fault An attacker who retrieves this token can use
If any system is tricked into making a webhook POST or GET request to this exact URL, and that system is running inside Azure with a Managed Identity enabled, the attacker would receive an for that identity. Depending on the role assigned, this could allow: