SCN-001 / SSRF + IMDSv1 + Overprivileged Role / 2019

Capital One 2019

Server-side request forgery against a misconfigured WAF reached the EC2 metadata service, lifted credentials for an overprivileged role, and walked into three S3 buckets unchallenged.

100M

records exfil

$190M

total damage

misconfigs chained

dwell time

Paige Thompson · convicted 2022 →

A misconfigured WAF reached EC2 metadata, lifted IAM credentials, and walked into three S3 buckets. The fix was scoping one IAM role.

$270M

Exposure

$80M OCC fine 2020 + $190M class settlement 2021

4 months

Time to detect

breach March 22-23, 2019; detected July 19 via attacker boast on GitHub

1 IAM scope

Fix complexity

restrict WAF role to specific buckets, not s3:* on all

Ask your team this Friday

Are any of our IAM roles assumable from ec2.amazonaws.com with s3:* on production buckets?

→ Audit my environment

Select scenario

  
 HTTP   
 STEP 01 Attacker probes for SSRF 
SSRF payload disguised as a preview URL
 1GET /api/preview?url=http%3A%2F%2F169.254.169.254%2Flatest%2Fmeta-data%2Fiam%2Fsecurity-credentials%2F HTTP/1.1
2Host: vulnerable-waf.example.com
3User-Agent: curl/7.61
4Accept: */*
5
6# ⚠ url= contains 169.254.169.254 - AWS metadata endpoint.
7# ⚠ WAF should block; the SecRule is defined but not active. 
Opening move · URL-encoded payload disguised as a preview request. Designed to force the WAF to fetch the IMDS endpoint server-side.
  1 / 5  

← back

Executive briefing · blast-audit

Capital One 2019

Server-side request forgery against a misconfigured WAF reached the EC2 metadata service, lifted credentials for an overprivileged role, and walked into three S3 buckets unchallenged.

A misconfigured WAF reached EC2 metadata, lifted IAM credentials, and walked into three S3 buckets. The fix was scoping one IAM role.

$270M

Exposure

$80M OCC fine 2020 + $190M class settlement 2021

4 months

Time to detect

breach March 22-23, 2019; detected July 19 via attacker boast on GitHub

1 IAM scope

Fix complexity

restrict WAF role to specific buckets, not s3:* on all

Ask your team this Friday

Are any of our IAM roles assumable from ec2.amazonaws.com with s3:* on production buckets?

Verified incident

Capital One: 100M+ customers · $40.7M restitution

Paige A. Thompson (former Amazon employee)

How it happened

In March 2019 Paige Thompson exploited a misconfigured ModSecurity WAF at Capital One via Server-Side Request Forgery (SSRF) to reach the EC2 Instance Metadata Service (IMDSv1) and steal credentials for the WAF's IAM role. The role had wildcard s3:* permissions and Thompson exfiltrated 100M+ customer records across multiple S3 buckets. A U.S. District Court jury in Seattle (June 2022) found Thompson guilty of wire fraud, five counts of unauthorized access to a protected computer, and damaging a protected computer.

Outcome

Sentenced (October 2022): time served + 5 years probation + 3 years home confinement + 250 hours community service + $40.7M restitution. A federal appeals court later ruled the sentence too lenient; on remand the district court reimposed the same terms.

Sources

Open on desktop for the full demo

Capital One 2019

Capital One 2019

Generate audit report