Webhook-url-http-3a-2f-2f169.254.169.254-2fmetadata-2fidentity-2foauth2-2ftoken -

If the VM has multiple identities, you can specify the client_id or object_id in the API call to request a token for a specific user-assigned identity.

To understand how this attack works, we must first decode the URL and analyze its individual components. 1. URL Decoding the Request If the VM has multiple identities, you can

http://169.254.169.254/* http://%31%36%39%2e%32%35%34%2e%31%36%39%2e%32%35%34/* *metadata/identity/oauth2/token* If the VM has multiple identities