Which cloud-specific attack involves an application making HTTP requests to internal metadata endpoints such as 169.254.169.254 to retrieve cloud instance credentials?
SSRF tricks the server into making requests to internal endpoints.
Why this answer
The attack described is Server-Side Request Forgery (SSRF), where an attacker exploits a vulnerable application to make HTTP requests to internal metadata endpoints like 169.254.169.254 (the link-local address for cloud instance metadata services). This allows the attacker to retrieve cloud instance credentials (e.g., AWS IAM role temporary credentials) that are normally accessible only from within the instance, leading to privilege escalation and lateral movement.
Exam trap
Cisco often tests SSRF by pairing it with the specific IP 169.254.169.254, and the trap here is that candidates may confuse SSRF with Dependency Confusion (both involve external resources) or think XSS/SQLi can be used to access internal endpoints, but only SSRF exploits server-side request handling to reach cloud metadata.
How to eliminate wrong answers
Option A (Dependency Confusion) is wrong because it involves an attacker uploading a malicious package with the same name as an internal dependency to a public repository, tricking the package manager into installing it; it does not involve HTTP requests to metadata endpoints. Option C (Cross-Site Scripting) is wrong because it injects malicious scripts into web pages viewed by other users, targeting client-side browsers rather than server-side requests to internal IPs. Option D (SQL Injection) is wrong because it manipulates database queries through input fields, not HTTP requests to cloud metadata services.