Merge pull request #414 from Hacking-the-Cloud/aws/update_lambda_article

Updated Lambda exploitation article
Hacking-the-Cloud · Aug 20, 2024 · fa1f2fe · fa1f2fe
2 parents 4745aa6 + d9bba88
commit fa1f2fe
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/content/aws/exploitation/lambda-steal-iam-credentials.md b/content/aws/exploitation/lambda-steal-iam-credentials.md
@@ -29,7 +29,7 @@ IAM credentials can be accessed via reading `/proc/self/environ`.
 !!! Note
     In the event that /proc/self/environ is blocked by a WAF, check if you can read the environment variables of other processes. This can be done by reading /proc/#/environ where '#' is some number often between 1 and 20.
 
-In addition to IAM credentials, Lambda functions also have event data that is passed to the function when it is started. This data is made available to the function via the [runtime interface](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html). Unlike IAM credentials, this data is accessible over standard SSRF at `http://localhost:9001/2018-06-01/runtime/invocation/next`.
+In addition to IAM credentials, Lambda functions also have event data that is passed to the function when it is started. This data is made available to the function via the [runtime interface](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html). Unlike IAM credentials, this data is accessible over standard SSRF at `http://169.254.100.1:9001/2018-06-01/runtime/invocation/next`. Additionally the environment variable `AWS_LAMBDA_RUNTIME_API` stores the IP address and port of the runtime interface as well.
 
 This will include information about what invoked the Lambda function and may be valuable depending on the context.