Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The Alibaba Metadata Service Check module is a test case that detects a misconfiguration in the Alibaba host. It specifically targets the Alibaba metadata service, which is configured as a proxy. The severity of this misconfiguration is classified as critical.
A misconfigured Alibaba metadata service can expose sensitive information, such as zone IDs, to unauthorized users. This can potentially lead to further security breaches and compromise the confidentiality and integrity of the system.
The Alibaba Metadata Service Check module works by sending an HTTP GET request to the target host's metadata service endpoint. The request is made to the path "/dynamic/instance-identity/document". The module then checks the response body for the presence of the word "zone-id". If the word is found, it indicates a misconfiguration in the Alibaba metadata service.
Here is an example of the HTTP request sent by the module:
GET http://<hostval>/dynamic/instance-identity/document HTTP/1.1
Host: <hostval>
The module matches the response body against the word "zone-id" using a case-sensitive match condition. If the word is present, the module reports a vulnerability.
It is important to note that this module is designed to detect misconfigurations in the Alibaba metadata service and does not perform any modifications or exploit any vulnerabilities.