The IMDS endpoint requires the header Metadata: true for all requests since mid-2019. If your webhook caller does not add that header, the request will fail with 400 Bad Request . However, do not rely on this as a defense – attackers can sometimes influence headers via HTTP redirects or through the X-Forwarded-* family of headers. Some libraries automatically add headers like X-Original-URI that might be misinterpreted.
This is the (RFC 3927) reserved for cloud metadata services. When an attacker sends you a webhook URL that looks like http://169.254.169.254/metadata/identity/oauth2/token , they aren't trying to send you a friendly notification. They are trying to trick your server into stealing its own cloud identity tokens. The IMDS endpoint requires the header Metadata: true
The presence of this URL inside a (or as a parameter named webhook-url ) indicates that someone – either an attacker or a vulnerable application – is trying to trick the server into making an HTTP request to that internal address. They are trying to trick your server into
If your goal is to rank for concepts related to webhooks and Azure authentication, here are legitimate, high-value long-tail keywords: If operating in hybrid environments
A legitimate request from inside an Azure VM looks like this: GET http://169.254.169 HTTP/1.1 Metadata: true Use code with caution.
If operating in hybrid environments, enforce IMDSv2, which mandates a session-oriented token exchange mechanism, rendering blind SSRF payloads useless. 4. Practice the Principle of Least Privilege
The specific URL http://169.254.169.254/metadata/identity/oauth2/token is a sensitive endpoint within the . This service allows virtual machines (VMs) to retrieve information about themselves and, more critically, obtain OAuth 2.0 access tokens for managed identities without needing to store hardcoded credentials. The Role of 169.254.169.254 in Azure