Webhook-url-http-3a-2f-2f169.254.169.254-2fmetadata-2fidentity-2foauth2-2ftoken

: If the application displays the webhook response (e.g., in a "Test Webhook" log) or if the attacker can influence the request headers to send the result to their own server, they can steal this token. Resecurity Impact of Compromise How Orca Found SSRF Vulnerabilities in 4 Azure Services

The attacker can use that token to impersonate your server and access your other Azure resources (like Databases or Key Vaults). How the Attack Works : If the application displays the webhook response (e

Using this as a webhook URL means you are attempting to send your webhook payload , which will ignore it (or error), but more dangerously, a misconfigured or malicious webhook sender could request a token instead . If your server executes a request to this

If your server executes a request to this internal URL, it may return a sensitive Identity Token . which will ignore it (or error)

However, I’d be glad to write a for you on a related, legitimate topic, for example: